First of all I am new to PostgreSQL coming from MySQL. I have just installed PostgreSQL from the Fedora repositories and created the postgres user as per the fedora wiki pages, by su-ing into the postgres user and creating its role using the psql shell.
# su - postgres
$ psql
> \password
Then I created a test script that is served through nginx that will create a test DB and populate it. I'm trying to log in from the script by using the postgres user and its password via peer authentication, with the following pdo dsn:
new PDO('pgsql:user=postgres password=**********');
However, after struggling with SELinux, the connection fails saying that the peer authentication failed, so I looked into the postgresql logs and found that:
The delivered username (postgres) and the athenticated username (apache) do not match.
So I can deduce that the user that owns the process that's trying to access the db is the user that's being authenticated, so I assume I have to create the corresponding role for the apache user in the db. But why does it do this? Is it some sort of security measure? Is there a way to use the postgres role or am I bound to the apache role?
Do not use the postgres user for applications. It's an administrative role. It's like running a web server as root. Create less-privileged users for your applications. You may also want to CREATE DATABASE ... WITH OWNER myappuser; to give the app ownership of a database, unless you plan to use finer-grained security.
Create a user for your application to use. Set a randomly generated password, and record that password so your app can use it.
Create a database for the app to use, with the app user as the owner of the database. (This isn't ideal, but it's the simple way. To learn more, read the PostgreSQL manual's chapters on security and privileges.)
Modify pg_hba.conf to add an entry for the user on that database that uses md5 authentication, at least for the database(s) of interest. Make sure the entry is above the default peer entries.
Then reload PostgreSQL's configuration - SELECT pg_reload_conf().
Your app can now connect to PostgreSQL using a password, but you can still get simple peer authentication with psql on the command line.
Related
I have a laravel App on elastic beanstalk on AWS. And I am using Postgres as the DB. It is an AWS linux 2.
When I try connecting even local to the db I get this error.
I tried modifying the db's inbound rules, still not working.
Illuminate\Database\QueryException: SQLSTATE[08006] [7] FATAL:
password authentication failed for user "postgres" FATAL: password
authentication failed for user "postgres" (SQL: select count(*) as
aggregate from "user" where "phoneNumber" = +1111111111111111) in file
/var/app/current/vendor/laravel/framework/src/Illuminate/Database/Connection.php
on line 692
If your DB is a Managed PostgreSQL on AWS RDS
Then you may want to reset password of the postgres user.
As per RDS manual
To modify the master user password, follow these steps:
Open the Amazon RDS console.
Select Databases.
Select the RDS DB instance, and then choose Modify.
Note: If you use Aurora, expand the cluster, and choose the instance that you want to modify. Then, choose Modify.
Enter the master user password you want to use in the New Master Password field.
Note: The password change is asynchronous, and applies as soon as possible. This change ignores the Apply Immediately setting.
Choose Continue, and then choose Modify DB Instance.
The Status field for your RDS DB instance on the RDS dashboard changes to resetting-master-credentials. When the modification is complete, the Status column changes to Available. You can also modify an RDS DB instance using the Amazon RDS API or the AWS Command Line Interface (AWS CLI).
If your DB is self-deployed to the AWS EC2 instance
Then you may want to enable password-based authentication of the postgres user. It's disabled by default for new DB instances.
Find the pg_hba.conf file
To find the pg_hba.conf file on your server, you can look in the PostgreSQL configuration directory.
E.g.:
find /etc/postgresql/ -name pg_hba.conf
Then open found file in your ${EDITOR}
To allow md5 password authentication for any connections coming from the local 192.168.0.0/24 network, add a line like this:
# TYPE DATABASE USER ADDRESS METHOD OPTIONS
host all all 192.0.0.0/24 md5
And then restart PostgreSQL:
sudo pgctl restart
you're right #Yasen, thanks man.
changing the password worked
it crossed my mind earlier but some how I just kept creating new db instances with the same password and it kept failing.
anyways, the underlying issue was the password contained a '#' and '#' in laravel and hence php means comment;
so, somehow it was affecting the validation process.
Setup: intranet SQL Server and Domain Controller. In the DMZ we have a web server (IIS, PHP7).
SQL Server has mixed mode authentication. I'm trying to migrate from an old API setup (PHP5, mssql_connect), to a new setup (PHP7, IIS).
With the old API setup, authentication happens through mssql_connect using the supplied username and password, and connects to the sql server without a problem. The username and password are DOMAIN credentials, and setup on SQL SERVER as GROUPS. This makes it much easier to add/remove users, and works very well.
New API setup attempt #1:
- sqlsrv_connect: Supplying username and password forces sqlsrv_connect to use SQL USER authentication instead of WINDOWS authentication. Because the users are on the domain but NOT assigned directly to the SQL SERVER, this fails.
attempt #2:
- sqlsrv_connect: not supplying username and password forces sqlsrv_connect to connect via windows authentication with set credentials (not what we need). Yes, we could set these credentials to whatever we want, but then any stored procedures within SQL SERVER which check usernames might return our 'set user', rather than the actual client username.
attempt #3:
- PDO:sqlsrv: - Same thing with and without usernames.
attempt #4:
- do LDAP authentication (with credentials) then sqlsrv_connect (without credentials). This allows me to verify the user should have access to the database, but does not allow me to see the username from within stored procedures.
I've read MANY posts on this topic from google, stackoverflow, and other places. NONE of them address having an API hosted in a DMZ where YOU DON'T WANT the WEBSERVER ITSELF to have credentials that can access the database. What we need is for the USER SUPPLIED credentials to be passed through the API (web server) and into the SQL server as "Windows Authentication" (not as SQL Users). That way any queries to the SQL server are performed as THE USER, and we can manage the users via the directory.
Most of the posts infer that the users gave up and went with SQL USER authentication (sounds like a management headache), or enabled anonymous access from the webserver to SQL server (also seems like a bad idea with the webserver in the DMZ).
Am I completely off my rocker to expect this to work? I know this is not a standard SO question, but I'm not sure where else to put this. If you know of any posts/pages where the above is done (using explicit credentials to connect with Windows Authentication with sqlsrv), please share.
Thanks.
This is usually done with Kerberos Constrained Delegation.
That requires your web site to use Windows Authentication (Kerberos, not NTLM), and your web site would not have any access to the user's credentials. How and if that works in PHP, I don't know. But there's lots of info on how to set it up and do it in ASP.NET. Basically IIS has a token you can use to Impersonate.
If you are accepting credentials over Forms or Basic auth and want to use those to connect to SQL Server using Windows Auth, you can't just paste them into the connection string. You have to change the security context of the thread using Impersonation.
First you use the credentials to perform an actual logon with the LoginUser API. Then you use the returned handle to ImpersonateLoggedOnUser. After with you can connect to SQL Server with Windows integrated auth. At the end of the request you would call RevertToSelf to stop running as the requesting end user.
I have recently purchased VPS and I installed LAMP on it.
When I access Phpmyadmin through browser it asks login and password.
Even if I insert wrong password I can login successfully. I even checked it in another PC with other network, I was allowed to login.
So, How can I make a change in such a way that wrong password and login combination don't allow user to log in.
Note: I have installed fail2ban and Iptables in the server.
Checked in the phpmyadmin config file
/etc/panel/configs/phpmyadmin/config.inc.php but could not find,
$cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
It sounds like your MySQL installation has some security problem. Perhaps the anonymous user has been given too many privileges, or perhaps the MySQL daemon is running with the --skip-grant-tables option for some reason.
How did you install phpMyAdmin? Did you use some prepackaged kit, your distribution's package manager, or download the phpMyAdmin source yourself to move to your web root folder?
Start by checking the "User accounts" tab, is there an "Any" user? What are the Global privileges for that user? Does that account have any database-specific privileges? Go to one of the affected databases, the use the "Privileges" tab to see whether that user has access.
Check the main page to verify what user account you are logged in as, this is under the "Database server" section. Try logging in as a different user entirely and see if the information shown there changes at all.
Try connecting from the command line client to see if you're able to edit rows there as well.
I am trying to set up a phpBB forum on a locally hosted webpage. It being done in an openSUSE Linux OS.
I have installed MariaDB (MySQL), and created a new database named new_database using the command CREATE DATABASE new_database;, along with a user named user with the command CREATE USER 'new_user'#'localhost' IDENTIFIED BY 'password';. I also changed the root password to password, just for testing purposes.
When I enter this info into the phpBB installation database settings screen, I get the error
Could not connect to the database, see error message below.
Access denied for user 'new_user'#'localhost' to database 'new_database'.
I am using localhost for the DSN. Any ideas? From everything I've found online it should be working...
After you create the user you have to Grant Privileges, this is how you do it.
GRANT ALL PRIVILEGES ON new_database.* TO 'newuser'#'localhost';
Do not forget to flush.
FLUSH PRIVILEGES
Common Privileges
ALL PRIVILEGES- all access
CREATE- allows them to create new tables or databases
DROP- allows them to them to delete tables or databases
DELETE- allows them to delete rows from tables
INSERT- allows them to insert rows into tables
SELECT- allows them to use the Select command to read through databases
UPDATE- allow them to update table rows
GRANT OPTION- allows them to grant or remove other users' privileges
You can specify the database and table.
new_database.* (Specific Database, all tables)
new_database.table (Specific Database, specific table)
*.* (all databases, al tables)
I had the same issue with a phpBB install and solved the problem by accessing the database through phpMyAdmin and noticing on the splash page it said "User: pits#localhost", which was different from the user (pits_bull) I had created and attached to the database and was trying to connect with.
I tried it with just "pits" and it worked. Not sure whether there is a security issue with that though, or why it worked, but it IS working!
I'm trying to build a database for my server in phpmyadmin but when I finish building it I can't access it using PHP and it won't show when I list the databases in MySQL. But when I create a database in mySql it shows up in phpmyadmin. Also I'm running phpmyadmin version 4.0.3, and theres a statement at the bottom of the page saying The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. To find out why click here.
Thanks!
I just had the problem, and realized that I was creating database with names with '_test' suffixes.
It happens that phpmyadmin has a feature to hide some DBs. To change that behaviour, you can navigate to : settings > features > general > Hide databases
By default, hiddent databases have these patterns : information_schema|mysql|performance_schema|test|phpmyadmin
If you Still don't see it, Try to logout and then log in again to cPanel or PHPMyAdmin. It worked for me.
This sounds like a permissions issue. I'd guess that your phpMyAdmin is connecting to MySQL as root (or another user with the superuser privilege) and can therefore see all databases. Your app is probably connected using a different, lower privileged user.
Try running select user(); from your app and from phpMyAdmin and you will know for sure.
Assuming your app is running with a different user, you will need to add privilages for it to access the database you create. Please read the section titled Assigning privileges to user for a specific database in the phpMyAdmin documentation.
This is pure permission issue.
If you logged in without specifying the user, you won't see all the databases just like #t3po7re5 mentioned. What you should do is specify root user in your command.
mysql -uroot -p
It will prompt you to then enter the password. this is the default password if you have not specified or changed the default root password depending on the local server you are using.