Bug 189698 - authd doesn't work with postgresql
Summary: authd doesn't work with postgresql
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: postgresql
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-23 11:11 UTC by Behdad Esfahbod
Modified: 2013-07-03 03:09 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-08-11 12:10:56 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Behdad Esfahbod 2006-04-23 11:11:14 UTC 
Description of problem:
The authd ident service doesn't play nice with postgres for some reason. 
oidentd works.

How reproducible:

Steps to Reproduce:
1. enable auth service in xinetd
2. start postgres service
3. run "sudo -u postgres psql -h localhost"
  
Actual results:

Error that Ident authentication failed

Expected results:

psql should run

Additional info:

Uninstalling authd and installing oidentd makes it work.
Comment 1 Adam Tkac 2006-06-26 14:52:41 UTC 
make sure that auth service configured correctly. you can't send postgresql
encrypted data (server_args without -E)

service auth
{
        disable         = no
        socket_type     = stream
        wait            = no
        user            = ident
        cps             = 4096 10
        instances       = UNLIMITED
        server          = /usr/sbin/in.authd
        server_args     = -t60 --xerror --os #-E
}

# sudo -u postgres psql -h localhost
Welcome to psql 8.1.3, the PostgreSQL interactive terminal.
Comment 2 Behdad Esfahbod 2006-07-04 14:12:10 UTC 
So, shouldn't this be the default configuration then?
Comment 3 Karel Zak 2006-07-25 09:30:55 UTC 
What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
side setting correct?
Comment 4 Behdad Esfahbod 2006-07-25 20:03:49 UTC 
(In reply to comment #3)
> What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
> side setting correct?

I was using the default configuration, and it's been working flawlessly in
previous versions of Fedora.
Comment 5 Martin Stransky 2006-08-08 12:56:24 UTC 
Encryption is the default option in FC5....
Comment 6 Behdad Esfahbod 2006-08-10 21:04:40 UTC 
This *is* a bug.  If encryption is the default in Fedora, then postgres default
config should be made to understand it.  NOTABUG doesn't fix it.
Comment 7 Martin Stransky 2006-08-11 09:21:12 UTC 
Okay, reassignig to posgresql, could we enable the encryption here?
Comment 8 Tom Lane 2006-08-11 12:10:56 UTC 
No.  To postgres, the entire point of ident authentication is to find out the real username of the 
connecting process, and encrypted authd purposely prevents the requestor from finding that out.  The 
fact that the complainer thinks it's a bug doesn't make it so :-( ... it's just a difference of opinion about 
the goals of the ident protocol.

If you really want to use ident auth on a tcp connection with an encrypting authd, you can find out what 
authd will return as the "username" for each real user, and set up an ident map file to map that to 
postgres user names (ie, don't use "ident sameuser").  Unfortunately I see no way for postgres to 
determine that mapping automatically --- the encryption would be useless if easily reversed, no?

There's been some upstream discussion about moving away from ident as the default auth method for 
tcp connections, but that won't happen before PG 8.2 at the earliest.
Comment 9 Behdad Esfahbod 2006-08-11 15:56:35 UTC 
(In reply to comment #8)
> The fact that the complainer thinks it's a bug doesn't make it so :-( ...

True.  But the fact that we ship defaults that don't work /is/ a bug.  And in
this case, it's even a regression since it's been working in FC4 and before.
Note You need to log in before you can comment on or make changes to this bug.