How to connect to IBM Cloud Redis from Ruby on Rails application - ruby-on-rails

Migrating from one service to IBM Cloud for Redis.
I cannot find the correct configuration to connect using TLS. Everything I find on this is related to Heroku. and it ignores verifying the TLS/SSL connection.
I cannot find how to configure our Sidekiq/Redis to connect.
I do have a certificate from the IBM Cloud dashboard and I suspect I have to pass that along somehow.
Configure the Sidekiq.yml like this
:redis:
:url: "rediss://:< PWD >#< DB Name >:< PORT >/0"
:namespace: "app"
:ssl_params:
ca_file: 'path/to/cert'
I keep getting back the error Redis::CommandError - WRONGPASS invalid username-password pair or user is disabled.: however using these same credentials in the migration script I am able to connect to the DB, so the credentials are ok, I think it is not including the certificate correctly and I cannot find the correct way to do this

The sidekiq.yml configuration looks good to me, just make sure this has correct complete path
ca_file: 'path/to/cert'
and change the redis url to
:url: "rediss://< PWD >#< DB Name >:< PORT >/0"
further info you can read from here for TLS secured connection.

I'm not familiar with sidekiq.yml. But I've configured redlin with redis using a python script you can find here: https://github.com/IBM-Cloud/vpc-transit/blob/master/py/test_transit.py. Maybe the configuration is similar.
The relevant code is:
def vpe_redis_test(fip, resource):
"""execute a command in fip to verify postgresql is accessible"""
redis = resource["key"]
credentials = redis["credentials"]
cert_data = credentials["connection.rediss.certificate.certificate_base64"]
cli_arguments = credentials["connection.cli.arguments.0.1"]
command = f"""
#!/bin/bash
set -ex
if [ -x ./redli ]; then
echo redli already installed
else
curl -LO https://github.com/IBM-Cloud/redli/releases/download/v0.5.2/redli_0.5.2_linux_amd64.tar.gz
tar zxvf redli_*_linux_amd64.tar.gz
fi
./redli \
--long \
-u {cli_arguments} \
--certb64={cert_data} << TEST > redis.out
set foo working

Related

How to use PEM passphrase/TrustedRoot/TLS Mutual Auth Cert/Private Key in a .netCore 3.1 Ubuntu container

I am trying to write .netCore 3.1 API in an Ubuntu Linux container that runs the equivalent of this Curl command.
WORKING LINUX CONTAINER CURL COMMAND:
curl --cacert /etc/root/trustedroot.crt --cert /etc/mutualauth/tls.crt --key /etc/mutualauth/tls.key
--header "SOAPAction:actionName" --data #test.xml https://this.is.the/instance --verbose
Enter PEM pass phrase: *****
<Success...>
We use Windows development laptops so everything starts with Windows.
So far, I have the following HttpClientHandler that my HttpClient is using on a Windows development machine. This code works on Windows with the cert in my local machine and current user personal stores and does not work in Linux:
WORKING WINDOWS HTTPCLIENTHANDLER CODE:
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
try
{
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, "<<cert thumbprint here>>", true);
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = SslProtocols.Tls12,
AllowAutoRedirect = false,
AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip
};
handler.ClientCertificates.Add(cert[0]);
}
catch (Exception e)
{
//Handle errors
}
finally
{
store.Close();
}
The cert I imported was .PFX format so as I understand it, the password went in at the time of import and the code for Windows doesn't need to be concerned with it.
The Curl command mentioned above works from the container. So by that logic, if coded or configured properly, the code should be able to do the same thing. As I see it, the Curl command shown above contains four elements that I need to account for in my HttpClientHandler somehow:
The Trusted Root(CA) Certificate: /etc/root/trustedroot.crt
The TLS Certificate: /etc/mutualauth/tls.crt
The Private Key - /etc/mutualauth/tls.key
The PEM Passphrase
I have been reading into this for a couple of months now and have seen various articles and stack overflow posts but there is a staggering amount of variables and details involved with SSL and I cant find anything that directly addresses this in a way that makes sense to me with my limited understanding.
I also have the option of running a Linux script at the time of deployment to add different/other formats of certs/keys to the stores/filesystem in the container. This is how I get the certs and keys into the container in the first place, so I have some control over what I can make happen here as well:
LINUX CONFIG SCRIPT:
cp /etc/root/trustedroot.crt /usr/share/ca-certificates
cp /etc/mutualauth/tls.crt /usr/share/ca-certificates
cp /etc/mutualauth/tls.key /etc/ssl/private
echo "trustedroot.crt" >> /etc/ca-certificates.conf
echo "tls.crt" >> /etc/ca-certificates.conf
update-ca-certificates
dotnet wsdltest.dll --environment=Production --server.urls http://*:80
I do not believe I can get the binary .PFX file into the container due to security policies and limitations, but I definitely can get its string encoded cert and key formats into the container.
...so if there is a way of using different styles of certs that I can extract from the .PFX or specifying password and cert when the server 'spins up' to make my code not require a password, that would work too - I might just be missing something basic in the Linux config.
Would anyone be so kind as to point me in the proper direction to find out how I can uplift my HttpClientHandler code OR Linux config to be able to make this API call? Any ideas are welcome at this point, this has been a thorn in my side for a long time now... Thank you so much!
This was not the right approach.
The correct approach was an NGINX reverse proxy terminating mutual auth TLS so that Dotnetcore doesn't have to.
Save yourself some time and go NGINX!. :D

freeRADIUS server confiuration for 802.1x

I want to configure freeRADIUS server as a authentication server for enterprise WLAN testing. I'm new to freeRADIUS server configuration. please give me the step by step or any link for installation and configuration
Thanks,
Devaa
First we’ll need a place to work, so I created a directory:
mkdir /usr/src/freeradius && cd /usr/src/freeradius
Next we need to fetch our source and get any dependencies, so update your sources and enter the following commands:
apt-get update
apt-get build-dep freeradius
apt-get install libssl-dev fakeroot
apt-get source freeradius
This should have downloaded the FreeRADIUS source code for us, so now we’ll have to make a few changes to tell our compiler to build it with the EAP modules we’ll be using. First edit /usr/src/freeradius/freeradius-1.1.3/debian/control and remove libssl-dev from Build-Conflicts: and add it to the end of Build-Depends: line. Your file should look like this:
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libssl-dev
Build-Conflicts:
Next you’ll need to add descriptions for your EAP modules, so enter the following at the end of the file:
Package: freeradius-eaptls
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-tls module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_tls.so library. This
module is required if you want to use EAP/TLS authentication, commonly used
for WiFi access points.
Package: freeradius-eappeap
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-peap module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_peap.so library. This
module is required if you want to use EAP/PEAP authentication, commonly used
for WiFi access points.
Save and exit this file.
Next we’ll edit /usr/src/freeradius/freeradius-1.1.3/debian/rules. Find and comment our the “buildssl=” and “moduleslist=-“ lines and add the following lines:
buildssl=–without-rlm_otp –without-rlm_sql_postgresql –without-snmp
modulelist=krb5 ldap sql_mysql sql_iodbc eap_peap eap_tls
Save and exit.
Now enter the following commands:
echo “usr/lib/freeradius/rlm_eap_tls*.so” >/usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.install
echo “usr/lib/freeradius/rlm_eap_peap*.so” > /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.install
Next let’s create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.postinst and enter the following:
#! /bin/sh
set -e
case "$1" in
configure)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius restart
else
/etc/init.d/freeradius restart
fi
;;
abort-upgrade)
;;
abort-remove)
;;
abort-deconfigure)
;;
esac
#DEBHELPER#
Now we’ll create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.postinst and add the following to it:
#! /bin/sh
set -e
case "$1" in
configure)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius reload
else
/etc/init.d/freeradius reload
fi
;;
abort-upgrade)
;;
abort-remove)
;;
abort-deconfigure)
;;
esac
#DEBHELPER#
Now that the hard part is finished let’s compile our deb packages. Enter the following command:
cd /usr/src/freeradius/freeradius-1.1.3/
dpkg-buildpackage -rfakeroot -uc -us
If all went well you should now have several of .deb packages in /usr/src/freradius, so let’s install them by entering the following:
dpkg -i freeradius_1.1.3-3_i386.deb
dpkg -i freeradius-eaptls_1.1.3-3_i386.deb
dpkg -i freeradius-eappeap_1.1.3-3_i386.deb
Check to see if FreeRADIUS compiled and installed correctly by issues the following command:
ps aux | grep freeradius
And you should see something similar to this:
freerad 29998 0.0 0.8 44620 2224 ? Ssl 00:55 0:00 /usr/sbin/freeradius
If not start FreeRADIUS in debug mode as root and look for any clues to why things are not working properly:
freeradius –X
Also check /usr/lib/freeradius and ensure that the rlm_eap_peap-1.1.3.so and rlm_eap_tls-1.1.3.so modules exist.
Now to configure FreeRADIUS
First we’ll edit /etc/freeradius/radiusd.conf
NOTE: When editing the configuration files be sure that every open bracket ({) has a corresponding ending bracket (}) or you will break FreeRADIUS!
Find the mschap stanza under MODULES and configure it with the following parameters:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
Next verify the authorize stanza includes these parameters:
preprocess
mschap
suffix
eap
files
Now verify that the authenticate stanza is configured like this:
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# Allow EAP authentication.
eap
}
Now we have to add a client to the clients.conf. By client we mean an authenticator such as an access point (AP) or a wireless controller. For this example we’ll use my Juniper SSG5’s address of 192.168.44.129. Add the following stanza to the clients.conf:
client 192.168.44.129 {
secret = test123
shortname = Juniper
}
Next we’ll configure our server to support PEAP by editing /etc/freeradius/eap.conf.
First change the default_eap_type in the eap stanza to look like this:
default_eap_type = peap
Because PEAP needs to support our example certificates uncomment the tls stanza as well as the following parameters.
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
Next find and uncomment the peap stanza and the following parameter:
default_eap_type = mschapv2
Now add a test user in the /etc/freeradius/users file so we can test the system. Add the following:
“tobias” User-Password == “password123”
Restart FreeRADIUS with the following command:
/etc/init.d/freeradius restart
Now if you’ve done everything correctly you should be able to authenticate with your test user with the following command:
radtest tobias password123 localhost 0 testing123
You should see:
ending Access-Request of id 170 to 127.0.0.1 port 1812
User-Name = "tobias"
User-Password = "password123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=170, length=20
At this point everything should be working, although you would have to export your CA’s certificate to your PEAP clients so they would trust the server certificate being used by FreeRADIUS. The certificates we are currently using are there only to test with and should not be used for production. Next I’ll explain how to setup your own certificate authority (CA) and create your own certificates.
First we’ll need to install OpenSSL and since we’ll need to generate some complex passwords we’ll also install PWGen the password generator.
apt-get install openssl pwgen
OpenSSL uses a defaults file, /etc/ssl/openssl.cnf, that we’ll backup and edit to save us some time when we start generating our certs.
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
Now edit /etc/ssl/openssl.cnf and find this line:
dir =./demoCA
and change to:
dir =/etc/freeradius/eap/eapCA
This is the location were I’ll be creating the new CA. You might want to look through the rest of the file and edit the defaults to your environment. Here are some of the changes that I made to my openssl.cnf.
-countryName_default = AU
+countryName_default = US
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Oregon
+localityName_default = Portland
-0.organizationName_default = Widget ltd
+0.organizationName_default = Fat of the LAN
Now create and change to the directory that all of our certificates and CA will exist:
mkdir /etc/freeradius/eap && cd /etc/freeradius/eap
We will use one of OpenSSL’s included scripts to generate our CA, but you’ll want to customize it a bit before we use it so we’ll make a copy of it in our certificate directory.
cp /usr/lib/ssl/misc/CA.pl /etc/freeradius/eap
Next we have to edit CA.pl to tell it where to create our CA. Open it and change the following line:
CATOP=./demoCA
to:
CATOP=/etc/freeradius/eap/eapCA
Your CA is at the heart of your certificate infrastructure so it is important to protect it once you’ve generated it as well as use a strong password for it. I’ll generate a nice random 25 character password with pwgen. Be sure to record this password as you’ll need it each time you sign a certificate.
pwgen 25 1
aem5xahheethohP5Woh5Eb3ph
Now let’s run the script from within the /etc/freeradius/eap directory.
cd /etc/freeradius/eap
./CA.pl –newca
Answer all of the questions based on your environment and use the password you just created when prompted. When the script finishes you’ll have your own CA in /etc/freeradius/eap/eapCA. The next thing we need to do is create a server certificate for FreeRADIUS and sign it with our new CA.
./CA.pl –newreq-nodes
We should now have a new key pair as well as a signing request ready to send to our CA.
A quick note on compatibility. If you plan to use any of these certificates on Windows clients you’ll need to add XP extensions to the certificates you generate. The xpextensions file is included with Debian’s FreeRADIUS packages and I’ll include it in the appendix for our non-Debian readers. Just make a copy of it in our certificate directory.
cp /usr/share/doc/freeradius/examples/xpextensions /etc/freeradius/eap
Now let’s use our CA key to sign the FreeRADIUS’ certificate request, entering the CA’s password when prompted:
./CA.pl –sign (Optionally add -extensions xpserver_ext -extfile /etc/freeradius/eap/xpextensions)
Now that all of the certificates we need are generated, we need to create a couple of files needed for keying material and tell FreeRADIUS to use the new certs. To create the dh and random files, issue the following command:
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chmod 640 random newcert.pem newkey.pem newreq.pem dh
Now open your /etc/freeradius/eap.conf file, find the tls stanza, and change to reflect the new certificates we created.
private_key_file = /etc/freeradius/eap/newkey.pem
certificate_file = /etc/freeradius/eap/newcert.pem
CA_file = /etc/freeradius/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/eap/dh
random_file = /etc/freeradius/eap/random
And while we’re at it, uncomment the following lines:
fragment_size = 1024
include_length = yes
Restart FreeRADIUS and copy your CA’s certificate (/etc/freeradius/eap/eapCA/cacert.pem) to your clients. Configure your clients’ supplicant for your new PEAP enabled SSID, configure your AP to use 802.1x and your new FreeRADIUS server and you’re good to go!
If you are looking for more information on RADIUS, check out this book. It’s been extremely helpful thus far.
This question is so broad. It really depends on what you want to do, where your authentication data (e.g. users/passwords) is stored, what type of EAP methods you are going to use, etc.
However, the default FreeRADIUS configuration will work pretty well for most testing with minimal changes.
Start by editing the raddb/users file and add a new user to the top. The form should be like
username Cleartext-Password := "password"
Then you can use radtest or eapol_test to check to see if this is working.
When that works, you can edit the clients.conf file to add your wireless AP or controller.
You should then be able to connect from the wireless network.
However, this can be quite complicated and there are lots of things to go wrong along the way, so don't be discouraged if it doesn't work first time.
Always run the server with debugging on (radiusd -X) when testing, and read all the output. It will show you where things are failing.
There is a lot of information on the FreeRADIUS wiki, for example start with the Basic configuration HOWTO. There is also lots of good tutorial advice on Alan Dekok's page. Note that for wireless you do need to configure EAP.
Here is a step by step link that I used for my freeradius installation.
Freeradius 3 Ubuntu tutorial
If you're still having issues, get a vps that comes with radius installed

Setting up an SSH tunnel on Heroku: installing SSH key pairs?

My RoR app needs to access a remote database (FWIW it's mysql hosted on rds.amazonaws.com). The only way to access it is through an SSH tunnel.
I've already tested access on my local machine. I'm setting up the tunnel via the equivalent of:
ssh -f -N -L 3307:longname.rds.amazonaws.com:3306 remote_user#remote_host.com
(but see https://stackoverflow.com/a/27305457/558639 to see how I'm actually doing it). At any rate, I will need to install an SSH key pair (both private and public parts) on Heroku for this to work.
I'm on unfamiliar territory here, though. I could write a script that starts up at the beginning of a Heroku session that installs the keys. What's the right way to accomplish this and not expose the private key unnecessarily?
Here's what I've come up with. (See SSH tunneling from Heroku for a longer description.)
set up a bunch of environment variables, including the public and private keys, using heroku config:set NAME1=value1 NAME2=value2 etc...
create .profile.d/web-setup.sh with the following contents. Note that as per https://devcenter.heroku.com/articles/profiled, any file in the .profile.d directory will be run when the dyno is first set up.
NOTE: This way, the private SSH key only appears as a configuration variable in the heroku environment. Since other sensitive information is kept there, I assume that this is a relatively safe approach.
The .profile.d/web-setup.sh file contains:
# file=.profile.d/web-setup.sh
# create keypair files on this dyno
echo $0: creating public and private key files
mkdir -p ${HOME}/.ssh
echo "${PUBLIC_KEY}" > ${HOME}/.ssh/heroku_id_rsa.pub
chmod 644 ${HOME}/.ssh/heroku_id_rsa.pub
# note the use of double quotes to preserve newlines!
echo "${PRIVATE_KEY}" > ${HOME}/.ssh/heroku_id_rsa
chmod 600 ${HOME}/.ssh/heroku_id_rsa
# You may need to preload known-hosts here. See
# https://stackoverflow.com/questions/21575582/ssh-tunneling-from-heroku/27361295#27361295
# on how to do that.
# open a tunnel if not already running
SSH_CMD="ssh -f -i ${HOME}/.ssh/heroku_id_rsa -N -L ${LOCAL_PORT}:${REMOTE_MYSQL_HOST}:${MYSQL_PORT} ${REMOTE_USER}#${REMOTE_SITE}"
PID=`pgrep -f "${SSH_CMD}"`
if [ $PID ] ; then
echo $0: tunnel already running on ${PID}
else
echo $0 launching tunnel
$SSH_CMD
fi

Rails/Rubber can't create staging

Trying to get started with a Rails Amazon EC2 deployment using https://github.com/rubber/rubber, and I keep ending up here after attempting to create a staging server with cap rubber:create_staging:
** [out :: production.foo.com] curl: (7) couldn't connect to host command finished in 2022ms
failed: "/bin/bash -l -c 'sudo -p '\\''sudo password: '\\'' bash -l /tmp/create_inputs'" on production.foo.com
I've been sticking with Rubber's quickstart guide, but can't solve this. I'm using rvm, if that makes a difference to anyone.
Any ideas?
It looks like you are trying to connect to production.foo.com. Change your configuration to connect to the right remote server or if you are running locally in the EC2 instance you can make it localhost.
Make sure you setup your public ssh key in the ~/.ssh/authorized_keys for the user that you are trying to deploy as. This is to allow capistrano/rubber to do passwordless ssh authentication.
Reviving an old post here but there's another possible cause of this issue that I've just encountered so figured this might help someone else.
I had to re-create and download a new keypair for my ec2 instances. When I moved it to ~/.ec2/gsg-keypair I forgot to alter the permissions.
When SSH'ing directly into the instance you get the full warning, which makes debugging it easy:
UNPROTECTED PRIVATE KEY FILE! permissions 0644 for 'xxxxx.pem' are
too open. It is recommended that your private key files are NOT
accessible by others. This private key will be ignored. bad
permissions: ignore key: xxxxx.pem Permission denied (publickey).
But when running a rubber task you simply get a generic CURL error. If this is the case for you too just update the permissions like this:
chmod 600 ~/.ec2/gsg-keypair

Getting error: Peer authentication failed for user "postgres", when trying to get pgsql working with rails

I'm getting the error:
FATAL: Peer authentication failed for user "postgres"
when I try to make postgres work with Rails.
Here's my pg_hba.conf, my database.yml, and a dump of the full trace.
I changed authentication to md5 in pg_hba and tried different things, but none seem to work.
I also tried creating a new user and database as per Rails 3.2, FATAL: Peer authentication failed for user (PG::Error)
But they don't show up on pgadmin or even when I run sudo -u postgres psql -l.
Any idea where I'm going wrong?
The problem is still your pg_hba.conf file*.
This line:
local all postgres peer
Should be:
local all postgres md5
After altering this file, don't forget to restart your PostgreSQL server. If you're on Linux, that would be sudo systemctl restart postgresql (on older systems: sudo service postgresql restart).
Locating hba.conf
Note that the location of this file isn't very consistent.
You can use locate pg_hba.conf or ask PostgreSQL SHOW hba_file; to discover the file location.
Usual locations are /etc/postgresql/[version]/main/pg_hba.conf and /var/lib/pgsql/data/pg_hba.conf.
These are brief descriptions of the peer vs md5 options according to the official PostgreSQL docs on authentication methods.
Peer authentication
The peer authentication method works by obtaining the client's
operating system user name from the kernel and using it as the allowed
database user name (with optional user name mapping). This method is
only supported on local connections.
Password authentication
The password-based authentication methods are md5 and password. These
methods operate similarly except for the way that the password is sent
across the connection, namely MD5-hashed and clear-text respectively.
If you are at all concerned about password "sniffing" attacks then md5
is preferred. Plain password should always be avoided if possible.
However, md5 cannot be used with the db_user_namespace feature. If the
connection is protected by SSL encryption then password can be used
safely (though SSL certificate authentication might be a better choice
if one is depending on using SSL).
After installing Postgresql I did the below steps.
Open the file pg_hba.conf. For Ubuntu, use for example /etc/postgresql/13/main$ sudo nano pg_hba.conf and change this line at the bottom of the file, it should be the first line of the settings:
local all postgres peer
to
local all postgres trust
Side note: If you want to be able to connect with other users as well, you also need to change:
local all all peer
to
local all all md5
If you used nano editor, exit with double Escape, x, y, Enter to save the config file.
Restart the server
$ sudo service postgresql restart
Output: * Restarting PostgreSQL 13 database server
Login into psql and set your password
$ psql -U postgres
db> ALTER USER postgres with password 'your-pass';
Output: ALTER ROLE
Side note: If you have other users, they will need a password as well:
db> ALTER USER my_user with password 'your-pass';
Then enter:
exit
Finally change the pg_hba.conf from
local all postgres trust
to
local all postgres md5
Restart the server again
$ sudo service postgresql restart
Output: * Restarting PostgreSQL 13 database server
Login at psql with postgres user
After restarting the postgresql server, the postgres user accepts the password that you chose:
psql -U postgres
Output:
Password for user postgres:
psql (13.4 (Ubuntu 13.4-1.pgdg20.04+1))
Type "help" for help.
And you are in psql:
postgres=#
Side note: Same now works for my_user if you added the user and password:
psql -d YOUR_DB_NAME -U my_user
Which will ask you for the new password of my_user.
Authentication methods details:
trust - anyone who can connect to the server is authorized to access the database
peer - use client's operating system user name as database user name to access it.
md5 - password-base authentication
for further reference check here
If you connect over localhost (127.0.0.1) you shouldn't experience that particular issue. I wouldn't muck much with the pg_hba.conf but instead I would adjust your connection string:
psql -U someuser -h 127.0.0.1 database
where someuser is your user you're connecting as and database is the database your user has permission to connect to.
Here is what I do on Debian to setup postgres:
http://www.postgresql.org/download/linux/debian/ (Wheezy 7.x)
as root …
root#www0:~# echo "deb http://apt.postgresql.org/pub/repos/apt/ wheezy-pgdg main" >> /etc/apt/sources.list
root#www0:~# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
root#www0:~# apt-get update
root#www0:~# apt-get install postgresql-9.4
root#www0:~# su - postgres
postgres#www0:~$ createuser --interactive -P someuser
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n
postgres#www0:~$ createdb -O someuser database
postgres#www0:~$ psql -U someuser -h 127.0.0.1 database
Enjoy!
This has worked for me !!
sudo -u postgres psql
sudo psql --host=localhost --dbname=database-name --username=postgres
This solved my issue
If you have an issue, you need to locate your pg_hba.conf. The command is:
find / -name 'pg_hba.conf' 2>/dev/null
and after that change the configuration file:
Postgresql 9.3
Postgresql 9.4
The next step is: Restarting your db instance:
service postgresql-9.3 restart
If you have any problems, you need to set password again:
ALTER USER db_user with password 'db_password';
Go to this /etc/postgresql/9.x/main/ and open pg_hba.conf file
In my case:
$> sudo nano /etc/postgresql/9.3/main/pg_hba.conf
Replace peer with md5
So this will be changed to:
Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
This:
Database administrative login by Unix domain socket
local all postgres md5
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
Then restart pg server:
$> sudo service postgresql restart
Below is list of METHODS used to connect with postgres:
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
Note: If you have not create you postgres user yet. Create that and now you can access postgres server using that user credentials.
TIP: If it does not work after postgres restart then close terminal and open again.
Simplest solution without changing configs. (ubuntu)
Change user, then connect to database cli.
sudo -i -u postgres
psql
taken from https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-18-04
I was moving data directory on a cloned server and having troubles to login as postgres. Resetting postgres password like this worked for me.
root# su postgres
postgres$ psql -U postgres
psql (9.3.6)
Type "help" for help.
postgres=#\password
Enter new password:
Enter it again:
postgres=#
I had the same problem.
The solution from depa is absolutely correct.
Just make sure that u have a user configured to use PostgreSQL.
Check the file:
$ ls /etc/postgresql/9.1/main/pg_hba.conf -l
The permission of this file should be given to the user you have registered your psql with.
Further. If you are good till now..
Update as per #depa's instructions.
i.e.
$ sudo nano /etc/postgresql/9.1/main/pg_hba.conf
and then make changes.
If you want to keep the default config but want md5 authentication with socket connection for one specific user/db connection, add a "local" line BEFORE the "local all/all" line:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local dbname username md5 # <-- this line
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
Most of the solutions are suggest editing the pg_hba.conf.
For you who don't want to edit the configuration file, you basically just need to log in to the postgres user. If you are using/in Linux server, use this command
sudo -i -u postgres
It'll create user postgres and then log in to it. Now try your psql command again.
You can also add postgres user a password with the command: (you should be in root user)
passwd postgres
This is works because according to this PostgreSQL's Documentation,
Peer Authentication
The peer authentication method works by obtaining the client's
operating system user name from the kernel and using it as the allowed
database user name (with optional user name mapping). This method is
only supported on local connections.
The edits above worked for me, after I figured out that I needed to restart the postgres server after making them.
For ubuntu:
sudo /etc/init.d/postgresql restart
Changing METHOD peer to trust in pg_hba.conf (/etc/postgresql/9.1/main/pg_hba.conf | line 85) solves the issue. Adding md5 asks for a password, hence if there is a requirement to avoid using passwords, use trust instead of md5.
Use host=localhost in connection.
PGconn *conn = PQconnectdb(
"host=localhost user=postgres dbname=postgres password=123"
);
Please follow the below steps
1). First, navigate to the /etc/postgresql/{your pg version}/main directory.
My version is 10 Then:
cd /etc/postgresql/10/main
2). Here resides the pg_hba.conf file needs to do some changes here you may need
sudo access for this.
sudo nano pg_hba.conf
3). Scroll down the file till you find this –
# Database administrative login by Unix domain socket
local all postgres peer
4). Here change the peer to md5 as follows.
# Database administrative login by Unix domain socket
local all all md5
peer means it will trust the authenticity of UNIX user hence does not
prompt for the password. md5 means it will always ask for a password,
and validate it after hashing with MD5.
5).Now save the file and restart the Postgres server.
sudo service postgresql restart
Now it should be ok.
This error may occur when you do not provide the host. The following scenario resembles it.
user#homepc:~$ psql -d test_db -U test_user
psql: error: FATAL: Peer authentication failed for user "test_user"
user#homepc:~$ psql -h localhost -d test_db -U test_user
Password for user test_user:
Providing host resolved my issue in psql command line. Try providing host in connection configuration for postgress in rails.
the below command works for me:
psql -d myDb -U username -W
You need just set METHOD to trust.
#TYPE DATABASE USER ADDRESS METHOD
local all all trust
And reload postgres server.
# service postgresql-9.5 reload
Changes in pg_hba.conf dont require RESTART postgres server. just RELOAD.
pg_config is for compliation information, to help extensions and client programs compile and link against PostgreSQL. It knows nothing about the active PostgreSQL instance(s) on the machine, only the binaries.
pg_hba.conf can appear in many other places depending on how Pg was installed. The standard location is pg_hba.conf within the data_directory of the database (which could be in /home, /var/lib/pgsql, /var/lib/postgresql/[version]/, /opt/postgres/, etc etc etc) but users and packagers can put it wherever they like. Unfortunately.
The only valid ways find pg_hba.conf is to ask a running PostgreSQL instance where it's pg_hba.conf is, or ask the sysadmin where it is. You can't even rely on asking where the datadir is and parsing postgresql.conf because an init script might passed a param like -c hba_file=/some/other/path when starting Pg.
What you want to do is ask PostgreSQL:
SHOW hba_file;
This command must be run on a superuser session, so for shell scripting you might write something like:
psql -t -P format=unaligned -c 'show hba_file';
and set the environment variables PGUSER, PGDATABASE, etc to ensure that the connection is right.
Yes, this is somewhat of a chicken-and-egg problem, in that if the user can't connect (say, after screwing up editing pg_hba.conf) you can't find pg_hba.conf in order to fix it.
Another option is to look at the ps command's output and see if the postmaster data directory argument -D is visible there, e.g.
ps aux | grep 'postgres *-D'
since pg_hba.conf will be inside the data directory (unless you're on Debian/Ubuntu or some derivative and using their packages).
If you're targeting specifically Ubuntu systems with PostgreSQL installed from Debian/Ubuntu packages it gets a little easier. You don't have to deal with hand-compiled-from-source Pg that someone's initdb'd a datadir for in their home dir, or an EnterpriseDB Pg install in /opt, etc. You can ask pg_wrapper, the Debian/Ubuntu multi-version Pg manager, where PostgreSQL is using the pg_lsclusters command from pg_wrapper.
If you can't connect (Pg isn't running, or you need to edit pg_hba.conf to connect) you'll have to search the system for pg_hba.conf files. On Mac and Linux something like sudo find / -type f -name pg_hba.conf will do. Then check the PG_VERSION file in the same directory to make sure it's the right PostgreSQL version if you have more than one. (If pg_hba.conf is in /etc/, ignore this, it's the parent directory name instead). If you have more than one data directory for the same PostgreSQL version you'll have to look at database size, check the command line of the running postgres from ps to see if it's data directory -D argument matches where you're editing, etc.
https://askubuntu.com/questions/256534/how-do-i-find-the-path-to-pg-hba-conf-from-the-shell/256711
Many of the other answers pertain to settings in the various config files, and the ones pertaining to the pg_hba.conf do apply and are 100% correct. However, make sure you are modifying the correct config files.
As others have mentioned the config file locations can be overridden with various settings inside the main config file, as well as supplying a path to the main config file on the command line with the -D option.
You can use the following command while in a psql session to show where your config files are being read (assuming you can launch psql). This is just a troubleshooting step that can help some people:
select * from pg_settings where setting~'pgsql';
You should also make sure that the home directory for your postgres user is where you expect it to be. I say this because it is quite easy to overlook this due to the fact that your prompt will display '~' instead of the actual path of your home directory, making it not so obvious. Many installations default the postgres user home directory to /var/lib/pgsql.
If it is not set to what it is supposed to be, stop the postgresql service and use the following command while logged in as root. Also make sure the postgres user is not logged into another session:
usermod -d /path/pgsql postgres
Finally make sure your PGDATA variable is set correctly by typing echo $PGDATA, which should output something similar to:
/path/pgsql/data
If it is not set, or shows something different from what you expect it to be, examine your startup or RC files such as .profile or .bash.rc - this will vary greatly depending on your OS and your shell. Once you have determined the correct startup script for your machine, you can insert the following:
export PGDATA=/path/pgsql/data
For my system, I placed this in /etc/profile.d/profile.local.sh so it was accessible for all users.
You should now be able to init the database as usual and all your psql path settings should be correct!
If you are facing this issue with rails and you know that you already have created that user-name with password along with correct rights then you just need to put following at the end of your database.yml file.
host: localhost
overall file will look like below
development:
adapter: postgresql
encoding: unicode
database: myapp_development
pool: 5
username: root
password: admin
host: localhost
You do not need to touch you pg_hba.conf file at all. Happy coding
My issue was that I did not type any server. I thought it is a default because of placeholder but when I typed localhost it did work.
If you are trying to locate this file in Cloud 9, you can do
sudo vim /var/lib/pgsql9/data/pg_hba.conf
Press I to edit/insert, press ESC 3 times and type :wq will save the file and quit
In my case, I was not even able to edit or see the content of pg_hba.conf file.
What worked was:
/etc/postgresql/14/main$ sudo vi pg_hba.conf
Vi editor with sudo permission.
On CentOS 7, PG 10, the file path is
/var/lib/pgsql/10/data/pg_hba.conf
Also, If you don't have access to the script from postgres account you can use the approach below.
$ cat ./init-user-db.sh | sudo -i -u postgres bash

Resources