Postgres: Default POSTGRES_HOST_AUTH_METHOD=md5 value is not applied for localhost connections

Created on 22 Nov 2020  路  3Comments  路  Source: docker-library/postgres

Description on docker image

POSTGRES_HOST_AUTH_METHOD
This optional variable can be used to control the auth-method for host connections for all databases, all users, and all addresses. If unspecified then md5 password authentication is used. On an uninitialized database, this will populate pg_hba.conf via this approximate line:

echo "host all all all $POSTGRES_HOST_AUTH_METHOD" >> pg_hba.conf

Yes, this is happens and at the _bottom_ of pg_hba.conf there is a line host all all all md5 is present. The problem is that we still have standard row _above_

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust

And because it is above it gets applied first for connections from localhost. And it does allow to login without any passwod specified.
Postgres official docs:

The first record with a matching connection type, client address, requested database, and user name is used to perform authentication.

Is this overlooked or IPv4 local connections aren't considered as a "host" ones?

psql -h localhost postgres postgres
question
Source
picture AnatoliyTishaevTR

All 3 comments

Right, the second entry: host all all 127.0.0.1/32 trust is the first matching line for an ipv4 tcp/ip localhost connection

Doing -h localhost will actually use the unix socket, but the preceding local all all trust entry marks that connection method as trusted also

So then the host all all all md5 entry matches everything that's not unix socket or 127.0.0.1/32

POSTGRES_HOST_AUTH_METHOD was added from the discussion in https://github.com/docker-library/postgres/issues/580

Also https://github.com/docker-library/postgres/issues/580#issuecomment-498390248

localhost doesn't mean anything in a Docker context. If you're running your database with localhost being the only thing accessible inside Docker, you might as well not be running it at all (since localhost is only accessible from directly within the PostgreSQL container itself).

wglambert picture wglambert on 23 Nov 2020
👍1

@wglambert
Thank you for clarifications. I didn't know that -h localhost still will use socket and not a TCP/IP connection.

Actually wondering how is then possible to trigger TCP/IP connection via psql from localhost? Documentation says if -h is not specified then "local socket" is used. And I was assuming that otherwise we will not use socket but TCP/IP

$ psql --help

Connection options:
  -h, --host=HOSTNAME      database server host or socket directory (default: "local socket")
AnatoliyTishaevTR picture AnatoliyTishaevTR on 24 Nov 2020

Ah I was thinking of mysql which uses a unix socket if the hostname is localhost https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-connection-socket.html
You're right Postgres still uses tcp/ip for localhost and 127.0.0.1

If you have further questions you could try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum

wglambert picture wglambert on 24 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

harrybvp picture harrybvp  路  4Comments
bsctl picture bsctl  路  4Comments
weeger picture weeger  路  4Comments
Enelar picture Enelar  路  4Comments
moyuan picture moyuan  路  3Comments