patternsqlMajor
Postgres connection access denied on IPv6 address
Viewed 0 times
addresspostgresdeniedaccessconnectionipv6
Problem
Installed PostgreSQL 9.1 x64 on Windows, set up a listen address, but when connecting with pgAdmin I get the following error. Not sure why PostgreSQL is seeing my IPv6 address and not my regular IP address:
To get authentication working, based on the error message, I updated
That worked, but it's ugly, and too specific. I tried the following based on PostgreSQL docs, but none worked, I get the same 'access denied' error:
I got this one working, which covers the entire IPv6 address space, but how can I specify an IPv6 range for more restriction?
Questions
To get authentication working, based on the error message, I updated
pg_hba.conf with this:host all all fe80::c5d2:XXXX:XXXX:3bc0/12 trustThat worked, but it's ugly, and too specific. I tried the following based on PostgreSQL docs, but none worked, I get the same 'access denied' error:
local all all trust
host all all 0.0.0.0/12 trustI got this one working, which covers the entire IPv6 address space, but how can I specify an IPv6 range for more restriction?
host mydb myuser ::/0 trustQuestions
- Why does pgAdmin pick up my IPv6 address and not my normal IP?
- How do I specify a range in IPv6 without resorting to
::/0?
Solution
The IPv6 addresses starting with
If you don't trust everybody on your local LAN then you probably want to use username+password protection:
When specifying
fe80: are link-local addresses. They cannot be routed across different subnets or the internet. They are for communication between machines connected to the same LAN only. The link-local range is defined as fe80::/10. If you trust everybody on your local LAN then you could dohost all all fe80::/10 trustIf you don't trust everybody on your local LAN then you probably want to use username+password protection:
host all all fe80::/10 md5When specifying
md5 you are still using username+password protection, but the password is not transmitted in a readable format anymore. Since you're not trusting people on your local LAN you probably shouldn't send a snoopable password over the wire either.Code Snippets
host all all fe80::/10 trusthost all all fe80::/10 md5Context
StackExchange Database Administrators Q#43608, answer score: 22
Revisions (0)
No revisions yet.