Introduction
This document describes how to require a password to access the postgres user in an High Availability (HA) setup.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- Cloud Center < v4.8.0.1
- 4.8.0.1 upgrade
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Problem: Postgres User on CCM database doesn't Require a Password
In an HA setup where the Cloud Center Manager (CCM) database (DB) is seperate from the CCM for versions older than 4.8.0.1, or if you upgraded to 4.8.0.1 from an older version (clean installs after 4.8.0.1 are not affected) the postgres user on the CCM database does not require a password when connecting to it. This is a potential security vulnerability.
Solution
On each DB instance run these commands:
echo "*:*:*:replication:password" >> /root/.pgpass
echo "*:*:*:replication:password" >> ~postgres/.pgpass
sed -i 's/\(0.0.0.0.*\)trust/\1md5/' /var/lib/pgsql/9.5/data/pg_hba.conf
Confirm that the pg_hba.conf has had all instances of trust changed to md5, if it wasn't changed, manually change the word trust to md5.
su – postgres
/usr/pgsql-9.5/bin/pg_ctl reload
\q
This reloads postgres with the configuration changes and ensure that the database is not open for password-less authentication.
You can confirm whether the issue is resolved and log in to the CCM and run this command. If you are prompted for the postgres password, be assured that the changes were successful.
psql -h IP_ADDRESS_OF_DATABASE -U postgres