4

I am trying to run some postgresql commands through a fabric script. When I execute the script I get:

out: psql: FATAL:  Peer authentication failed for user "sparc2"

This is how my pg_hba.conf file looks like:

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     postgres                                peer
#host    replication     postgres        127.0.0.1/32            md5
#host    replication     postgres        ::1/128                 md5
# added
local   sparc2          sparc2                                  md5
host    sparc2          sparc2           127.0.0.1/32           md5
host    sparc2          sparc2           10.0.2.2/32            md5
host    all             all              all                    password

I have also modified the postgresql.conf file with adding this line:

listen_addresses = '*'

After applying the changes I restarted postgresql. But the error is still the same.

Improve this question
3
  • Have you actually added the user (with CREATE USER or an equivalent method)? Commented Aug 11, 2017 at 10:28
  • The user was created through an ansible script: - name: "Grant All Privileges to {{ DB_USER }}" become: yes become_user: postgres postgresql_privs: db: "{{ DB_NAME }}" role: "{{ DB_USER }}" privs: ALL type: schema objs: public Commented Aug 11, 2017 at 10:33
  • This is the user specs from pgadmin: CREATE ROLE sparc2 LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; Commented Aug 11, 2017 at 10:34

1 Answer 1

Reset to default
10

PostgreSQL has 2 connection entry points:

  1. TCP/IP (host in pg_hba.conf)
  2. Unix sockets (local in pg_hba.conf)

Your server is configured to use peer auth which works only for Unix sockets, and means - ask the kernel if the OS username matches DB username.

You have following options:

  • change pg_hba.conf to use md5 auth for local socket connections, or
  • change connection settings in your script to use IP connection (127.0.0.1 should work) instead of socket connection. [This may not require editing the files - sometimes setting PGHOST variable is enough], or
  • make your script to run from OS user sparc2, not postgres.

Risks / drawbacks

  • if you change peer to md5, some automation scripts that run from "postgres" OS user, and rely on "peer" auth, will stop working. They will start asking for password
  • if you change peer to md5, and forget database superuser password, you may have to re-enable peer auth to reset it.

In general, the "peer" auth is OK. Ease and security of kernel-based local auth is the reason why many distributions choose it for local admin connections. It is useful especially on multi-user shell servers. You can disable it for selected accounts only:

#CHANNEL  DB    USER     METHOD
local     all   sparc2   md5
local     all   all      peer

More details: here and here.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Great. Thanks a lot for the answer. The fist option worked. I am not an expert with these customizations. Are there any risks doing this?
@user1919 the only risk of changing peer to md5: some automation scripts that rely on "peer" auth will stop working. They will start asking for password.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.