Re: strange behavior of pg_hba.conf file

On 11/22/23 10:03 AM, Atul Kumar wrote:
> Please can you share any command  for due diligence whether ip is
> resolved to ipv6 ?.

This:

psql -d postgres -U postgres -p 5432 -h localhost

where pretty sure

/etc/hosts

is resolving localhost --> ::1

>
> On Wed, Nov 22, 2023 at 11:25 PM Andreas Kretschmer
> <andreas(at)a-kretschmer(dot)de> wrote:
>
>
>
> Am 22.11.23 um 18:44 schrieb Atul Kumar:
> > I am giving this command
> > psql -d postgres -U postgres -p 5432 -h localhost
> > Then only I get that error.
>
> so localhost resolved to an IPv6 - address ...
>
> >
> > but when I  pass ip or hostname of the local server then I don't
> get
> > such error message
> > 1. psql -d postgres -U postgres -p 5432 -h <ip of local server>
> > 2. psql -d postgres -U postgres -p 5432 -h <hostname of local
> server>
>
> resolves to an IPv4 - address. you can see the difference?
>
> localhost != iv4-address != hostname with ipv4 address
>
> Andreas
>
> >
> >
> > I don;t get that error while using the above two commands.
> >
> >
> > Regards.
> >
> >
> > On Wed, Nov 22, 2023 at 10:45 PM Adrian Klaver
> > <adrian(dot)klaver(at)aklaver(dot)com> wrote:
> >
> >     On 11/22/23 09:03, Atul Kumar wrote:
> >     > The entries that I changed were to replace the md5 with
> >     scram-sha-256
> >     > and remove unnecessary remote IPs.
> >
> >     FYI from:
> >
> > https://www.postgresql.org/docs/current/auth-password.html
> >
> >     md5
> >
> >          The method md5 uses a custom less secure challenge-response
> >     mechanism. It prevents password sniffing and avoids storing
> >     passwords on
> >     the server in plain text but provides no protection if an
> attacker
> >     manages to steal the password hash from the server. Also,
> the MD5
> >     hash
> >     algorithm is nowadays no longer considered secure against
> determined
> >     attacks.
> >
> >          The md5 method cannot be used with the
> db_user_namespace feature.
> >
> >          To ease transition from the md5 method to the newer SCRAM
> >     method,
> >     if md5 is specified as a method in pg_hba.conf but the user's
> >     password
> >     on the server is encrypted for SCRAM (see below), then
> SCRAM-based
> >     authentication will automatically be chosen instead.
> >
> >     >
> >     > But it has nothing to do with connecting the server
> locally with
> >     "psql
> >     > -d postgres -U postgres -h localhost"
> >
> >     The error:
> >
> >     no pg_hba.conf entry for host "::1", user "postgres", database
> >     "postgres
> >
> >
> >     says it does and the error is correct as you do not have an IPv6
> >     entry
> >     for localhost in pg_hba.conf. At least in the snippet you
> showed us.
> >
> >
> >     >
> >     > But when I try to connect it locally I get this error. So
> it is
> >     related
> >
> >     When you say connect locally do you mean to localhost or to
> >     local(socket)?
> >
> >     > to local connections only and when I pass the hostname or
> ip of the
> >     > server it works fine without any issue.
> >     >
> >     >
> >     > Regards.
> >     >
> >
> >     --
> >     Adrian Klaver
> > adrian(dot)klaver(at)aklaver(dot)com
> >
>
> --
> Andreas Kretschmer - currently still (garden leave)
> Technical Account Manager (TAM)
> www.enterprisedb.com <http://www.enterprisedb.com>
>
>
>