Re: Multiple connections over VPN password fail error

Fri, 09 Feb 2024 01:35:20 -0800 

Hi,

for the second user/role over vpn
even with md5 I get the error:
P3Error PostgreSQL password authentication failed for user "<seconduser>"
am only able to connect if method is "trust". Why is this so

  # IPv4 external connections thru VPN
  #TYPE   DATABASE  USER   ADDRESS  METHOD
      host   all       all      <ip>       scram-sha-256   (or "md5" -
second user is only able to connect if this is "trust"
regards
Sanjay




On Fri, Feb 9, 2024 at 2:44 PM Sanjay Minni <sanjay.mi...@gmail.com> wrote:

> so why do I get a password error when i try to connect 2 users over VPN
> from the same machine to the same host with the following settings in
> pg_dba.conf - how to find the issue
> ( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )
>
>   # IPv4 external connections thru VPN
>   #TYPE   DATABASE  USER   ADDRESS  METHOD
>       host   all       all      <ip>       scram-sha-256
> and whats the best option keeping security in mind
>
> regards
> Sanjay
>
>
> On Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <dan...@yesql.se> wrote:
>
>> > On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.mi...@gmail.com> wrote:
>>
>> > while trying to make multiple connects with different role names to a
>> single database over VPN i faced a password error issue when trying to
>> connect a send user
>> > It seems I had to change this line in pg_hba.conf and it worked:
>> >
>> >    `# IPv4 external connections thru VPN
>> >     #TYPE   DATABASE  USER   ADDRESS  METHOD
>> >     host   all       all      <ip>    trust `        <=(from the
>> earlier scram-sha-256)
>> >
>> > is this the way and is this correct from a security point of view ?
>>
>> While correctness and security always needs to be evaluated from the
>> specific
>> needs of an installation, the odds are pretty good that "No" is the
>> correct
>> answer here.  To quote the documentation on the "trust" setting:
>>
>>         "Allow the connection unconditionally.  This method allows anyone
>> that
>>         can connect to the PostgreSQL database server to login as any
>>         PostgreSQL user they wish, without the need for a password or any
>> other
>>         authentication."
>>
>> I would recommend immediately reverting back to the scram-sha-256 setting
>> and
>> figuring out why you were unable to login.
>>
>> --
>> Daniel Gustafsson
>>
>>

Reply via email to