Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using redhat linux 9.0 and postgres 7.3.x. To connect to postgres database, i am using an phppgadmin(which will enable us to work in an GUI environment), But when i login as postgres without password, it allows me to login. And whatever the password i give, it allows me to login. Please help me to solve this security issue.
------------------------------------------------------------------------------------------------
i have the following entries in the pg_hba.conf file
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of three forms:
#
# local DATABASE USER METHOD [OPTION]
# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
#
# (The uppercase quantities should be replaced by actual values.)
# DATABASE can be "all", "sameuser", "samegroup", a database name (or
# a comma-separated list thereof), or a file name prefixed with "@".
# USER can be "all", an actual user name or a group name prefixed with
# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the
# set of hosts the record matches. METHOD can be "trust", "reject",
# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note
# that "password" uses clear-text passwords; "md5" is preferred for
# encrypted passwords. OPTION is the ident map or the name of the PAM
# service.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect, or use
# "pg_ctl reload".
# Put your actual configuration here
# ----------------------------------
#
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
#
# If you want to allow non-local connections, you need to add more
# "host" records. Also, remember TCP/IP connections are only enabled
# if you enable "tcpip_socket" in postgresql.conf.
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
host all all 127.0.0.1 255.255.255.255 trust
# Using sockets credentials for improved security. Not available everywhere,
# but works on Linux, *BSD (and probably some others)
The "trust" authentication method is the problem here. This does allow unconditional access without a password being supplied. You'll need to change this to one of the authentication methods described in http://www.postgresql.org/docs/7.3/i...tication.html. Using md5 will probably provide the best security.
trust : always allow the connection, do not check password
reject : always reject the connection, do not check password
md5 : Require an MD5 encrypted password from the client (this is the preferred method for insecure networks).
crypt : Like md5, but using less secure encryption. Required for compatibility with client versions < 7.2
password : Like md5, but the password is not encrypted.
krb4 : Use Kerberos V4 authentication (only available for TCP/IP connections)
krb5 : Like krb4, but with Kerberos V5
ident : Perform authentication using the OS user names.
pam : Use the PAM service to authenticate.
I'd suggest changing the "trust" sections of the file to "md5", for a fairly secure system. If this causes problems, you could also try "password", which should be secure enough since you're only connecting locally.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.