phpPgAdmin + PostgreSQL + authentication
Howdy:
Not sure if this the most likely of maillists to ask,
but is anyone using phpPgAdmin? I have a few questions
regarding authentication of username / passwords.
I'm running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10.
I have phpPgAdmin 2.4.2 installed.
Basically, I want to know: how to configure phpPgAdmin to
allow all the users that exist in pg_shadow to log in and
be authenticated?
In my pg_hba.conf, I have this:
[snip conf file]
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE
AUTH_ARGUMENT
local all trust
host all 127.0.0.1 255.255.255.255 md5
host all 16.x.x.1 255.0.0.0 md5
host all 192.168.0.0 255.255.255.0 md5
[/snip conf file]
In the config.inc.php, I have this:
[snip php conf]
// The $cfgServers array starts with $cfgServers[1]. Do not use
$cfgServers[0].
// You can disable a server config entry by setting host to ''.
$cfgServers[1]['local'] = false;
$cfgServers[1]['host'] = 'test.localserver.net';
$cfgServers[1]['port'] = '5432';
$cfgServers[1]['adv_auth'] = true;
$cfgServers[1]['user'] = ''; // if you are not using adv_auth,
// enter the username to
connect all the time
$cfgServers[1]['password'] = ''; // if you are not using adv_auth and
// a password is
required enter a password
$cfgServers[1]['only_db'] = ''; // if set to a db-name, only this db
is accessible
[/snip php conf]
As I understand it, shouldn't this allow any user with TCP connection
to access the database? I suppose I am trying to understand if
adv_auth even uses pg_shadow at all, or, does 'local' means that
no authentication is needed, anyone can log in.
The only thing that happens at the index.php page is when I log
in, I get "Wrong username/password. Access denied".
I mean, if I can access the database via command line (psql -U joe -d
testdb)
without needing to authenticate myself, shouldn't that mean that phpPgAdmin
allows the same thing? Otherwise, I should be able to use what's in
pg_shadow, right?
I am re-reading the documentation page. Any info / direction is
appreciated.
Thanks!
-X
I've used phpPgAdmin before. My guess is that your failing because
postgresql is expecting an md5'd password to authenticate with, and
phpPgAdmin is passing in an unencrypted password.
On a related note, setting phpPgAdmin to advanced authentication mode,
it will rely on the information in pg_shadow.
Robert Treat
Show quoted text
On Tue, 2002-10-08 at 12:21, Johnson, Shaunn wrote:
Howdy:
Not sure if this the most likely of maillists to ask,
but is anyone using phpPgAdmin? I have a few questions
regarding authentication of username / passwords.I'm running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10.
I have phpPgAdmin 2.4.2 installed.Basically, I want to know: how to configure phpPgAdmin to
allow all the users that exist in pg_shadow to log in and
be authenticated?In my pg_hba.conf, I have this:
[snip conf file]
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE
AUTH_ARGUMENT
local all trust
host all 127.0.0.1 255.255.255.255 md5
host all 16.x.x.1 255.0.0.0 md5
host all 192.168.0.0 255.255.255.0 md5[/snip conf file]
In the config.inc.php, I have this:
[snip php conf]
// The $cfgServers array starts with $cfgServers[1]. Do not use
$cfgServers[0].
// You can disable a server config entry by setting host to ''.
$cfgServers[1]['local'] = false;
$cfgServers[1]['host'] = 'test.localserver.net';
$cfgServers[1]['port'] = '5432';
$cfgServers[1]['adv_auth'] = true;$cfgServers[1]['user'] = ''; // if you are not using
adv_auth,
// enter the
username to connect all the time
$cfgServers[1]['password'] = ''; // if you are not using adv_auth
and
// a password is
required enter a password
$cfgServers[1]['only_db'] = ''; // if set to a db-name, only
this db is accessible[/snip php conf]
As I understand it, shouldn't this allow any user with TCP connection
to access the database? I suppose I am trying to understand if
adv_auth even uses pg_shadow at all, or, does 'local' means that
no authentication is needed, anyone can log in.The only thing that happens at the index.php page is when I log
in, I get "Wrong username/password. Access denied".I mean, if I can access the database via command line (psql -U joe -d
testdb)
without needing to authenticate myself, shouldn't that mean that
phpPgAdmin
allows the same thing? Otherwise, I should be able to use what's in
pg_shadow, right?I am re-reading the documentation page. Any info / direction is
appreciated.Thanks!
-X
On Tue, 2002-10-08 at 12:21, Johnson, Shaunn wrote:
Not sure if this the most likely of maillists to ask,
but is anyone using phpPgAdmin? I have a few questions
regarding authentication of username / passwords.
We are. I love it.
In my pg_hba.conf, I have this:
[snip conf file]
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE
AUTH_ARGUMENT
local all trust
I specifically disallow local, because we're about to switch to kerberos
as our auth mechanism.
In your case, I think you want md5 here as well.
host all 127.0.0.1 255.255.255.255 md5
host all 16.x.x.1 255.0.0.0 md5
host all 192.168.0.0 255.255.255.0 md5[/snip conf file]
In the config.inc.php, I have this:
[snip php conf]
// The $cfgServers array starts with $cfgServers[1]. Do not use
$cfgServers[0].
// You can disable a server config entry by setting host to ''.
$cfgServers[1]['local'] = false;
$cfgServers[1]['host'] = 'test.localserver.net';
$cfgServers[1]['port'] = '5432';
$cfgServers[1]['adv_auth'] = true;$cfgServers[1]['user'] = ''; // if you are not using adv_auth,
// enter the username to
connect all the time
$cfgServers[1]['password'] = ''; // if you are not using adv_auth and// a password is
required enter a password
$cfgServers[1]['only_db'] = ''; // if set to a db-name, only this db
is accessible[/snip php conf]
As I understand it, shouldn't this allow any user with TCP connection
to access the database? I suppose I am trying to understand if
adv_auth even uses pg_shadow at all, or, does 'local' means that
no authentication is needed, anyone can log in.
I believe it does.
The only thing that happens at the index.php page is when I log
in, I get "Wrong username/password. Access denied".
Advance auth requires you to have these two entries:
$cfgServers[1]['stduser'] = 'auth';
$cfgServers[1]['stdpass'] = 'adv_auth';
Obviously, where stduser and stdpass are specific to your site.
What happens is pgadmin needs someway to confirm or deny that a given
user can login to the database, and so has to use this "other"
user/password to connect.
I think thats whats happening, anyway.
--
Hunter Matthews Unix / Network Administrator
Office: BioScience 145/244 Duke Univ. Biology Department
Key: F0F88438 / FFB5 34C0 B350 99A4 BB02 9779 A5DB 8B09 F0F8 8438
Never take candy from strangers. Especially on the internet.
--howdy:
--i'm doing a few tests on it, and one of the drawbacks
--that i've seen is that you can not do complicated
--sql on it (the joins between multiple table, heavy
--calculations, etc).
--i tried to do something like that in a report (didn't see
--how else i could do it) and my browser timed out
--the query kept running!
--i really would like to find a nice alternative (like pgAdmin II ).
--i've tested a few, but most of them don't handle md5
--encryption and the others want python installed
--(and at compile time when building postgreSQL ... i just
--can't do that right now ... ).
--if anyone can suggest some product that can do
--what pgAdmin II is doing without python AND can run on
--a windows environment, i'd be grateful for the information.
--thanks again!
-X
-----Original Message-----
From: Hunter Matthews [mailto:thm@duke.edu]
On Tue, 2002-10-08 at 12:21, Johnson, Shaunn wrote:
Not sure if this the most likely of maillists to ask,
but is anyone using phpPgAdmin? I have a few questions
regarding authentication of username / passwords.
We are. I love it.
In my pg_hba.conf, I have this:
[snip conf file]
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE
AUTH_ARGUMENT
local all trust
I specifically disallow local, because we're about to switch to kerberos
as our auth mechanism.
In your case, I think you want md5 here as well.
host all 127.0.0.1 255.255.255.255 md5
host all 16.x.x.1 255.0.0.0 md5
host all 192.168.0.0 255.255.255.0 md5[/snip conf file]
In the config.inc.php, I have this:
[snip php conf]
// The $cfgServers array starts with $cfgServers[1]. Do not use
$cfgServers[0].
// You can disable a server config entry by setting host to ''.
$cfgServers[1]['local'] = false;
$cfgServers[1]['host'] = 'test.localserver.net';
$cfgServers[1]['port'] = '5432';
$cfgServers[1]['adv_auth'] = true;$cfgServers[1]['user'] = ''; // if you are not using adv_auth,
// enter the username to
connect all the time
$cfgServers[1]['password'] = ''; // if you are not using adv_auth
and
// a password is
required enter a password
$cfgServers[1]['only_db'] = ''; // if set to a db-name, only this
db
is accessible
[/snip php conf]
As I understand it, shouldn't this allow any user with TCP connection
to access the database? I suppose I am trying to understand if
adv_auth even uses pg_shadow at all, or, does 'local' means that
no authentication is needed, anyone can log in.
I believe it does.
The only thing that happens at the index.php page is when I log
in, I get "Wrong username/password. Access denied".
Advance auth requires you to have these two entries:
$cfgServers[1]['stduser'] = 'auth';
$cfgServers[1]['stdpass'] = 'adv_auth';
Obviously, where stduser and stdpass are specific to your site.
What happens is pgadmin needs someway to confirm or deny that a given
user can login to the database, and so has to use this "other"
user/password to connect.
I think thats whats happening, anyway.
--
Hunter Matthews Unix / Network Administrator
Office: BioScience 145/244 Duke Univ. Biology Department
Key: F0F88438 / FFB5 34C0 B350 99A4 BB02 9779 A5DB 8B09 F0F8 8438
Never take candy from strangers. Especially on the internet.
Import Notes
Resolved by subject fallback