Multiple connections over VPN password fail error
Hi All
while trying to make multiple connects with different role names to a
single database over VPN i faced a password error issue when trying to
connect a send user
It seems I had to change this line in pg_hba.conf and it worked:
`# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> trust ` <=(from the earlier
scram-sha-256)
is this the way and is this correct from a security point of view ?
regards
Sanjay Minni
On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
while trying to make multiple connects with different role names to a single database over VPN i faced a password error issue when trying to connect a send user
It seems I had to change this line in pg_hba.conf and it worked:`# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> trust ` <=(from the earlier scram-sha-256)is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here. To quote the documentation on the "trust" setting:
"Allow the connection unconditionally. This method allows anyone that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any other
authentication."
I would recommend immediately reverting back to the scram-sha-256 setting and
figuring out why you were unable to login.
--
Daniel Gustafsson
so why do I get a password error when i try to connect 2 users over VPN
from the same machine to the same host with the following settings in
pg_dba.conf - how to find the issue
( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )
# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256
and whats the best option keeping security in mind
regards
Sanjay
On Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <daniel@yesql.se> wrote:
Show quoted text
On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
while trying to make multiple connects with different role names to a
single database over VPN i faced a password error issue when trying to
connect a send userIt seems I had to change this line in pg_hba.conf and it worked:
`# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> trust ` <=(from the earlierscram-sha-256)
is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the
specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here. To quote the documentation on the "trust" setting:"Allow the connection unconditionally. This method allows anyone
that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any
other
authentication."I would recommend immediately reverting back to the scram-sha-256 setting
and
figuring out why you were unable to login.--
Daniel Gustafsson
Hi,
for the second user/role over vpn
even with md5 I get the error:
P3Error PostgreSQL password authentication failed for user "<seconduser>"
am only able to connect if method is "trust". Why is this so
# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256 (or "md5" -
second user is only able to connect if this is "trust"
regards
Sanjay
On Fri, Feb 9, 2024 at 2:44 PM Sanjay Minni <sanjay.minni@gmail.com> wrote:
Show quoted text
so why do I get a password error when i try to connect 2 users over VPN
from the same machine to the same host with the following settings in
pg_dba.conf - how to find the issue
( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256
and whats the best option keeping security in mindregards
SanjayOn Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <daniel@yesql.se> wrote:
On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
while trying to make multiple connects with different role names to a
single database over VPN i faced a password error issue when trying to
connect a send userIt seems I had to change this line in pg_hba.conf and it worked:
`# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> trust ` <=(from theearlier scram-sha-256)
is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the
specific
needs of an installation, the odds are pretty good that "No" is the
correct
answer here. To quote the documentation on the "trust" setting:"Allow the connection unconditionally. This method allows anyone
that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any
other
authentication."I would recommend immediately reverting back to the scram-sha-256 setting
and
figuring out why you were unable to login.--
Daniel Gustafsson
On Fri, 2024-02-09 at 15:04 +0530, Sanjay Minni wrote:
for the second user/role over vpn
even with md5 I get the error:
P3Error PostgreSQL password authentication failed for user "<seconduser>"
am only able to connect if method is "trust". Why is this so# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256 (or "md5" - second user is only able to connect if this is "trust"
Please tell us the exact client software in use on the failing client.
Also, what is the error message
1) on the client side
2) in the PostgreSQL server log
Yours,
Laurenz Albe