Postgres not allowing localhost but works with 127.0.0.1

后端 未结 2 1409
梦如初夏
梦如初夏 2021-02-05 12:10

Postgres not accepting connection if I say -h localhost but it works if I say -h 127.0.0.1

[root@5d9ca0effd7f opensips]# psql -U postgre         


        
2条回答
  •  南笙
    南笙 (楼主)
    2021-02-05 12:47

    In pg_hba.conf, the first match counts. Per documentation:

    The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.

    Note the reversed order:

    host    all         all         127.0.0.1/32          trust
    host    all         all         127.0.0.1/32          ident
    

    But:

    host    all         all        localhost             ident
    host    all         all        localhost             trust
    

    Remember to reload after saving changes to pg_hba.conf. (Restart is not necessary.) The manual:

    The pg_hba.conf file is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you will need to signal the postmaster (using pg_ctl reload, calling the SQL function pg_reload_conf(), or using kill -HUP) to make it re-read the file.

    If you really "add" the lines like you wrote, there should not be any effect at all. But if you replace the lines, there is.

    In the first case, you get trust authentication method, which is an open door policy. Per documentation:

    PostgreSQL assumes that anyone who can connect to the server is authorized to access the database with whatever database user name they specify (even superuser names)

    But in the second case you get the ident authentication method, which has to be set up properly to work.

    Plus, as Cas pointed out later, localhost covers both IPv4 and IPv6, while 127.0.0.1/32 only applies to IPv4. An important difference if IPv6 is in use.

    If you are actually using the outdated version 8.4, go to the old manual for 8.4. You are aware that 8.4 has reached EOL in 2014 and is not supported any more? Consider upgrading to a current version.

    In Postgres 9.1 or later you would also rather use peer than ident.

    More:

    • Run batch file with psql command without password

提交回复
热议问题