Re: pg_hba.conf change in 7.4
[ Original email attached.]
I wonder if there is any recommendation to this ?
Is there a way to configure PostgreSQL to not use
IPv6 ?
I don't know what you want us to do about it? Your OS is accepting all
connections as IPv6, so you have to control that with IPv6 addresses in
pg_hba.conf.
We are also wonder if there is a version of Ident server
that the PostgreSQL community knows that will work
with IPv6.
That is the big question. I would think Solaris ships with one, but
maybe not. Is 7.4/Solaris/ident not a workable combination? Folks?
---------------------------------------------------------------------------
pgman wrote:
Seum-Lim Gan wrote:
Hi,
In 7.4, I noticed there is this ::1 and ffff: (x8 of them)
for IPv6.I looked at the documentation and there is nothing that says
what the ::1 is for.The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).
Commenting out that line will prevent access to PostgreSQL
from psql unless I put trust for that line.This is what I had in 7.3.4:
host all all 127.0.0.1 255.255.255.255
ident pspmap
local all all password
host all all 0.0.0.0 0.0.0.0 rejectBut in 7.4, it does not work anymore. It seems to want ::1 to be somewhere.
If I change the line with ::1 from trust to ident pspmap, it complains that
the user cannot be found. But it is in the pspmap. Message fromm psql:Seems you have an OS that makes all connections IPv6, even IPv4 ones.
That is why we had to have that line in there. Seems ::1 controls your
local connections on that platform. Some platforms have distinct IPv4
and IPv6 connections, so we have to include both lines in the file.Right now, I have it set to trust to work around.
Any idea what to do about this ?host all all 127.0.0.1 255.255.255.255
ident pspmap
local all all password
host all all 0.0.0.0 0.0.0.0 reject
# IPv4-style local connections:
#host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
host all all ::1
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trustYea, that's about it. My guess is that nothing is coming in via IPv4 on
your machine so 127.0.0.1 does nothing. Perhaps netstat will show the
IP address family used.-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Import Notes
Reply to msg id not found:
[ moved to -hackers ]
Bruce Momjian <pgman@candle.pha.pa.us> writes:
We are also wonder if there is a version of Ident server
that the PostgreSQL community knows that will work
with IPv6.
That is the big question. I would think Solaris ships with one, but
maybe not. Is 7.4/Solaris/ident not a workable combination? Folks?
Has anyone tested our Ident support under IPv6 on *any* OS?
Right offhand I don't see anything in the RFC 1413 protocol that would
break in moving from IPv4 to IPv6, but that doesn't mean there isn't
anything. One issue that catches my eye is that RFC 1413 assumes that
"port number" is a unique identifier of a connection within a particular
host; that assumption might be shaky in a system that's got multiple IP
addresses. (In particular I wonder whether IPv4 and IPv6 will share a
common port number address space on a system handling both ...)
regards, tom lane
On Sat, Dec 06, 2003 at 02:09:25PM -0500, Tom Lane wrote:
[ moved to -hackers ]
Bruce Momjian <pgman@candle.pha.pa.us> writes:
We are also wonder if there is a version of Ident server
that the PostgreSQL community knows that will work
with IPv6.That is the big question. I would think Solaris ships with one, but
maybe not. Is 7.4/Solaris/ident not a workable combination? Folks?Has anyone tested our Ident support under IPv6 on *any* OS?
Right offhand I don't see anything in the RFC 1413 protocol that would
break in moving from IPv4 to IPv6, but that doesn't mean there isn't
anything. One issue that catches my eye is that RFC 1413 assumes that
"port number" is a unique identifier of a connection within a particular
host; that assumption might be shaky in a system that's got multiple IP
addresses. (In particular I wonder whether IPv4 and IPv6 will share a
common port number address space on a system handling both ...)
The tcp connection is two ip/port combinations. The ident
connection should use the same ip address as the other end
connected too, and says which port numbers, so you know the combination.
I haven't tried it ident using postgresql, but I did for other
things and I know it works there.
Kurt
Hi,
The ident server we currently use is pidentd 3.0.16
from :
http://www.lysator.liu.se/ or
ftp://ftp.lysator.liu.se/pub/ident/servers
I am looking to see if Solaris has an ident server but have not
found it.
Gan
At 8:21 pm +0100 2003/12/6, Kurt Roeckx wrote:
On Sat, Dec 06, 2003 at 02:09:25PM -0500, Tom Lane wrote:
[ moved to -hackers ]
Bruce Momjian <pgman@candle.pha.pa.us> writes:
We are also wonder if there is a version of Ident server
that the PostgreSQL community knows that will work
with IPv6.That is the big question. I would think Solaris ships with one, but
maybe not. Is 7.4/Solaris/ident not a workable combination? Folks?Has anyone tested our Ident support under IPv6 on *any* OS?
Right offhand I don't see anything in the RFC 1413 protocol that would
break in moving from IPv4 to IPv6, but that doesn't mean there isn't
anything. One issue that catches my eye is that RFC 1413 assumes that
"port number" is a unique identifier of a connection within a particular
host; that assumption might be shaky in a system that's got multiple IP
addresses. (In particular I wonder whether IPv4 and IPv6 will share a
common port number address space on a system handling both ...)The tcp connection is two ip/port combinations. The ident
connection should use the same ip address as the other end
connected too, and says which port numbers, so you know the combination.I haven't tried it ident using postgresql, but I did for other
things and I know it works there.Kurt
--
+--------------------------------------------------------+
| Seum-Lim GAN email : slgan@lucent.com |
| Lucent Technologies |
| 2000 N. Naperville Road, 6B-403F tel : (630)-713-6665 |
| Naperville, IL 60566, USA. fax : (630)-713-7272 |
| web : http://inuweb.ih.lucent.com/~slgan |
+--------------------------------------------------------+On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote:
Hi,
The ident server we currently use is pidentd 3.0.16
The only I could find in a short time was oidentd. It says it
runs on Linux, *BSD and Solaris. http://dev.ojnk.net/
I've been told that FreeBSD's inetd's internal identd supports it
too.
Kurt
On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote:
Hi,
The ident server we currently use is pidentd 3.0.16
from :
http://www.lysator.liu.se/ or
ftp://ftp.lysator.liu.se/pub/ident/servers
The ChangeLog of it says: Solaris 8 (including IPv6) support
added.
But I have a feeling it's better supported in the 3.1 test
versions.
Kurt
Kurt Roeckx wrote:
On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote:
Hi,
The ident server we currently use is pidentd 3.0.16
from :
http://www.lysator.liu.se/ or
ftp://ftp.lysator.liu.se/pub/ident/serversThe ChangeLog of it says: Solaris 8 (including IPv6) support
added.But I have a feeling it's better supported in the 3.1 test
versions.
3.0.16's KNOWNBUGS file says this:
* In general - wait for Pidentd 3.1 befor using it with IPv6 systems.
Of course, using ident for any sort of security mechanism is not good
practice anyway, except possibly on the local host. Over a network it is
totally untrustworthy.
cheers
andrew