Re: pam_pgsql problems

To: martin f krafft <madduck@debian.org>
Cc: debian users <debian-user@lists.debian.org>
Subject: Re: pam_pgsql problems
From: Oliver Elphick <olly@lfix.co.uk>
Date: Mon, 06 Oct 2003 21:14:42 +0100
Message-id: <[🔎] 1065471282.4461.189.camel@linda.lfix.co.uk>
In-reply-to: <[🔎] 20031006170120.GB28806@diamond.madduck.net>
References: <[🔎] 20031006170120.GB28806@diamond.madduck.net>

On Mon, 2003-10-06 at 18:01, martin f krafft wrote:
...
> All in all, this make pam_pgsql pretty unusable, and I don't really
> know why. I have never told it to use SSL, and that's where the
> errors seem to come from. Postgres allows cleartext access:
> 
> /etc/postgres/pg_hba.conf:
>   host    all        all       127.0.0.1       255.0.0.0   password
> 
> why in the world is SSL being used at all? What may be worth
> noticing is that PostgreSQL started the use SSL when possible in
> 7.3.3-1. If I connect with psql to localhost, being allowed to use
> clear text, I am told that I am using a
> 
>   SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
>   
> However, if I connect with psql to localhost on a 7.2.1-2woody2
> machine, I do not get this notice and the connection is clear-text.
> 
> There is no mention in the changelog about this, so maybe Oliver has
> a comment?

The documentation on authentication methods in pg_hba.conf says:

hostssl
        
        This record matches connection attempts using SSL over TCP/IP.
        host records will match either SSL or non-SSL connection
        attempts, but hostssl records require SSL connections. 
        
        To be able make use of this option the server must be built with
        SSL support enabled. Furthermore, SSL must be enabled by
        enabling the option ssl in postgresql.conf (see Section 3.4). 
So it seems that pam_pgsql is choosing to use SSL to connect to the
PostgreSQL server.  SSL is always accepted on a TCP/IP connection in
7.3.  Your note on the use of psql suggests that somehow SSL is the
default access method on your machine.  That does not happen for me, adn
I don't know what in your setup may be causing it.

If you never want to use SSL connections, you can turn SSL off in
postgresql.conf.  In 7.4, you will be able to use hostnossl as an access
method in pg_hba.conf.

-- 
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight, UK                             http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                 ========================================
     "Blessed is the man that walketh not in the counsel of 
      the ungodly, nor standeth in the way of sinners, nor 
      sitteth in the seat of the scornful. But his delight 
      is in the law of the LORD; and in his law doth he 
      meditate day and night."         Psalms 1:1,2

Reply to:

Follow-Ups:
- Re: pam_pgsql problems
  - From: martin f krafft <madduck@debian.org>

References:
- pam_pgsql problems
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Can't get eth0:0 subinterface
Next by Date: Re: Debian-based distros ??
Previous by thread: pam_pgsql problems
Next by thread: Re: pam_pgsql problems
Index(es):
- Date
- Thread