8.4 vs. 9.x: 127.0.0.0/8

On 08/11/2015 01:19 PM, Felipe Gasper wrote:

Hello all,

We are noticing what appears to be a significant difference between
PostgreSQL 9.x and 8.4. Not having found documentation that would point
us in the direction of a good solution, I thought I’d post our issue here.

On CentOS 6 we have postgresql 8.4.20 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

If I run:
root@jason:/$ psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: PAM authentication failed for user "pguser"

You can see it tried to authenticate using PAM authentication.

On CentOS 7 we have postgresql 9.2.13 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

But, running the command above yields a different result:
root@i-0000764a [/usr/local/cpanel]# psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: password authentication failed for user "pguser"

It tried to use password auth instead of PAM. We think postgresql might
be seeing any 127.0.0.0/8 address as 127.0.0.1. Could you please shed
some light on the issue or point us in the right direction on how to
make the 9.2.13 configuration function as the 8.4.20 configuration does?

Are you sure you are pointing at the right instance of Postgres?

Or to put it another way, is there more than one Postgres server running
on the machine?

Thank you!

-Felipe Gasper
Houston, TX

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 11 Aug 2015 5:56 PM, Adrian Klaver wrote:

On 08/11/2015 01:19 PM, Felipe Gasper wrote:

Hello all,

We are noticing what appears to be a significant difference between
PostgreSQL 9.x and 8.4. Not having found documentation that would point
us in the direction of a good solution, I thought I’d post our issue
here.

On CentOS 6 we have postgresql 8.4.20 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

If I run:
root@jason:/$ psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: PAM authentication failed for user "pguser"

You can see it tried to authenticate using PAM authentication.

On CentOS 7 we have postgresql 9.2.13 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

But, running the command above yields a different result:
root@i-0000764a [/usr/local/cpanel]# psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: password authentication failed for user "pguser"

It tried to use password auth instead of PAM. We think postgresql might
be seeing any 127.0.0.0/8 address as 127.0.0.1. Could you please shed
some light on the issue or point us in the right direction on how to
make the 9.2.13 configuration function as the 8.4.20 configuration does?

Are you sure you are pointing at the right instance of Postgres?

Or to put it another way, is there more than one Postgres server running
on the machine?

Hi Adrian,

Thanks for your prompt response!

There is only one PostgreSQL instance on the PGSQL 9.2 machine.

-F

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 08/11/2015 03:06 PM, Felipe Gasper wrote:

On 11 Aug 2015 5:56 PM, Adrian Klaver wrote:

On 08/11/2015 01:19 PM, Felipe Gasper wrote:

Hello all,

We are noticing what appears to be a significant difference between
PostgreSQL 9.x and 8.4. Not having found documentation that would point
us in the direction of a good solution, I thought I’d post our issue
here.

On CentOS 6 we have postgresql 8.4.20 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

If I run:
root@jason:/$ psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: PAM authentication failed for user "pguser"

You can see it tried to authenticate using PAM authentication.

On CentOS 7 we have postgresql 9.2.13 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

But, running the command above yields a different result:
root@i-0000764a [/usr/local/cpanel]# psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: password authentication failed for user "pguser"

It tried to use password auth instead of PAM. We think postgresql might
be seeing any 127.0.0.0/8 address as 127.0.0.1. Could you please shed
some light on the issue or point us in the right direction on how to
make the 9.2.13 configuration function as the 8.4.20 configuration does?

Are you sure you are pointing at the right instance of Postgres?

Or to put it another way, is there more than one Postgres server running
on the machine?

Hi Adrian,

Thanks for your prompt response!

There is only one PostgreSQL instance on the PGSQL 9.2 machine.

What does the Postgres log show when you do the above?

-F

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

I think there might be some misunderstanding here:

El 11/08/15 a las 17:19, Felipe Gasper escribió:

Hello all,

We are noticing what appears to be a significant difference between
PostgreSQL 9.x and 8.4. Not having found documentation that would point
us in the direction of a good solution, I thought I’d post our issue here.

On CentOS 6 we have postgresql 8.4.20 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

No! This means that connections that come from 127.0.0.200 are handled
by pam, not connection *to*. Same for 127.0.0.1 (which in this case
means nothing).

If I run:
root@jason:/$ psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: PAM authentication failed for user "pguser"

Which is the source IP where this command is executed.

You can see it tried to authenticate using PAM authentication.

On CentOS 7 we have postgresql 9.2.13 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

But, running the command above yields a different result:
root@i-0000764a [/usr/local/cpanel]# psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: password authentication failed for user "pguser"

Well, which is the IP from where you are running this command?

I guess the answer is in some place around that.

Regards,

--
Martín Marqués http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 11 Aug 2015 6:30 PM, Martín Marqués wrote:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

No! This means that connections that come from 127.0.0.200 are handled
by pam, not connection *to*. Same for 127.0.0.1 (which in this case
means nothing).

Ah … thank you!

This may indeed point to our fix … though, FWIW, it still seems curious
that the same configuration file worked as we expected in 8.4 but
changed in 9.x.

I’ll take this to my coworkers and see what comes …

-FG

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Dear Martín,

Thank you for leading us to the right solution!

(We’re also suspecting some change in the networking stack from CentOS
6 to 7 may be playing a part here, too, FYI.)

-FG

On 11 Aug 2015 6:30 PM, Martín Marqués wrote:

I think there might be some misunderstanding here:

El 11/08/15 a las 17:19, Felipe Gasper escribió:

Hello all,

We are noticing what appears to be a significant difference between
PostgreSQL 9.x and 8.4. Not having found documentation that would point
us in the direction of a good solution, I thought I’d post our issue here.

On CentOS 6 we have postgresql 8.4.20 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

So connections to 127.0.0.200 are handled by pam, connections to
127.0.0.1 are handled by md5.

No! This means that connections that come from 127.0.0.200 are handled
by pam, not connection *to*. Same for 127.0.0.1 (which in this case
means nothing).

If I run:
root@jason:/$ psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: PAM authentication failed for user "pguser"

Which is the source IP where this command is executed.

You can see it tried to authenticate using PAM authentication.

On CentOS 7 we have postgresql 9.2.13 and the following pg_hba.conf:

local samerole all md5
host samerole all 127.0.0.200 255.255.255.255 pam
pamservice=postgresql_cpses
host samerole all 127.0.0.1 255.255.255.255 md5
local all postgres md5
host all postgres 127.0.0.1 255.255.255.255 md5

But, running the command above yields a different result:
root@i-0000764a [/usr/local/cpanel]# psql -h 127.0.0.200 -U pguser
Password for user pguser:
psql: FATAL: password authentication failed for user "pguser"

Well, which is the IP from where you are running this command?

I guess the answer is in some place around that.

Regards,

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general