BUG #4330: Bonjour connections ignore hba config METHOD and always trusted
The following bug has been logged online:
Bug reference: 4330
Logged by: William Kyngesburye
Email address: kyngchaos@kyngchaos.com
PostgreSQL version: 8.3.1
Operating system: Mac OS X 10.4.11
Description: Bonjour connections ignore hba config METHOD and always
trusted
Details:
I have a role configured for local IP connection with md5 authentication.
When using the postgres server IP or DNS name from a local network
connection, if correctly prompts for the role's password.
When connection with the Bonjour name of the postgres server, it ignores the
md5 setting and always trusts the connection. I tried with other auth
methods with the same effect.
This is bad.
"William Kyngesburye" <kyngchaos@kyngchaos.com> writes:
When connection with the Bonjour name of the postgres server, it ignores the
md5 setting and always trusts the connection. I tried with other auth
methods with the same effect.
What exactly have you got in pg_hba.conf?
AFAIK there is no such thing as a "Bonjour connection"; Bonjour just
provides a means for the server to advertise its IP address. I
speculate that what it's advertising is a port that you have configured
to be trusted.
regards, tom lane
On Jul 28, 2008, at 3:35 PM, Tom Lane wrote:
"William Kyngesburye" <kyngchaos@kyngchaos.com> writes:
When connection with the Bonjour name of the postgres server, it
ignores the
md5 setting and always trusts the connection. I tried with other
auth
methods with the same effect.What exactly have you got in pg_hba.conf?
AFAIK there is no such thing as a "Bonjour connection"; Bonjour just
provides a means for the server to advertise its IP address. I
speculate that what it's advertising is a port that you have
configured
to be trusted.regards, tom lane
The default:
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
and:
host all somerole 192.168.1.0/24 md5
the local unix and local tcp lines aren't catching the connection - if
I remove my added connection, all external connections fail, as
expected. And I tried reording it so my addition is first, but a
bonjour connection is still trusted.
I realize that bonjour just supplies IP info to the client. I too
find it strange that the server would see the connection differently.
-----
William Kyngesburye <kyngchaos*at*kyngchaos*dot*com>
http://www.kyngchaos.com/
"Time is an illusion - lunchtime doubly so."
- Ford Prefect
William Kyngesburye <kyngchaos@kyngchaos.com> writes:
What exactly have you got in pg_hba.conf?
The default:
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
and:
host all somerole 192.168.1.0/24 md5
Well, there's an awful lot of "trust" laying about there. I'd suggest
enabling log_connections so you can see what address the connections
are actually coming in on.
regards, tom lane