[Babase] Re: Ranker security problems

Karl O. Pinc kop at meme.com
Mon Aug 20 11:25:25 EDT 2007


Hunter and Jun,

I believe the problem is in the application but am not 100%
certain because I can't _fully_ test.  Hunter, synapse and neuron
do not have psql (the postgresql rpm IIRC) so the only testing
I'm able to do (easily) is connecting to papio's public IP from papio
itself.  Could you install psql so I can test?

Hunter, Susan, and Jeanne,

One solution would be to allow non-encrypted connections.
I don't like this for several reasons but if that's
what y'all decide you want I'd go along (after complaining.)

Jun,

I believe that the ranker program is not attemping
to establish an SSL connection.  Either the PQconnectdb()
call is not passing the right 'sslmode' parameter keyword
("prefer" would be best, in the db server I ensure that
connections going through the VPN are not double-encrypted
with libpq's SSL as well) or the libpq was not compiled with
SSL support.  See:

http://www.postgresql.org/docs/8.1/static/libpq.html#LIBPQ-CONNECT

I'm pretty sure that at one point when Tyler was directly
connecting to papio, before we tried the VPN, the ranker
was connecting with SSL enabled.


On 08/20/2007 08:29:48 AM, Lacey Maryott wrote:
> I tried to connect to ranker this morning using the (most updated?  
> 18-Aug-2007 12:51) jnlp file which I found at  
> https://papio.biology.duke.edu/ranker/ .  I changed the server to  
> papio.biology.duke.edu instead of the default  
> papio-vpn.biology.duke.edu like the Wiki says, and I then attempted  
> to log in using my unix username and password.  the error I received  
> is
> 
> "Fatal: No pg_hba.conf entry for host 152.3.185.86 user (me) database  
> "babase", SSL off"
> 
> Please help :(
> 
> Lacey
> 
> 
> 
> Karl O. Pinc wrote:
>> 
>> On 08/18/2007 02:37:19 PM, Karl O. Pinc wrote:
>>> 
>>> On 08/18/2007 12:05:05 PM, Jun Yang wrote:
>>>> Hi guys:
>>>> 
>>>> You *should* now be able to connect to directly from  
>>>> biology.duke.edu
>>>> machines without using VPN. Instructions on
>>>>     https://papio.biology.duke.edu/babasewiki/RankerProgram
>>>> have been updated to reflect this change.
>>> 
>>> I don't _think_ that papio is allowing such connections
>>> right now.  I'm going to assume I've got Hunter's
>>> permission and go ahead and set that up.  I'll
>>> write when it's working.
>> 
>> Allright, I believe I've got papio configured to
>> allow SSL encrypted connections from the Internet,
>> which really means from inside the Duke (biology?)
>> firewall.
>> 
>> Note that connecting via the local network requires
>> use of the _Unix_ username and password, not the
>> database username and password.  (Hunter, going through
>> pam seems more secure.  Please let me know if you want
>> to do it differently.)
>> 
>> Hunter see:
>> pg_hba.conf (Turning off ssl for localhost and unix socket,
>>              turning on ssl for network and using pam to  
>> authenticate.)
>> postgresql.conf (Listening on all network interfaces, turning on  
>> ssl.)
>> 
>> Jun,
>> I believe that the use of SSL is automatically part of
>> libpq and you don't need to do anything on the application
>> side to enable this.  (Assuming of course that the
>> appropriate compile flags were chosen when libpq was compiled.)
>> I have not configured the server to require clients to have
>> a signed certificate.  All that's necessary is the Unix  
>> (papio/biology)
>> username and password.
>> 
>> Karl <kop at meme.com>
>> Free Software:  "You don't pay back, you pay forward."
>>                  -- Robert A. Heinlein
>> 
>> _______________________________________________
>> Babase mailing list
>> Babase at www.eco.princeton.edu
>> http://www.eco.princeton.edu/mailman/listinfo/babase
> 
>-- 
> Lacey Maryott
> Alberts Lab
> Department of Biology
> Duke University
> ph: 919-660-7306
> fax: 919-660-7293
> Lacey.Maryott at duke.edu
> _______________________________________________
> Babase mailing list
> Babase at www.eco.princeton.edu
> http://www.eco.princeton.edu/mailman/listinfo/babase
> 

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein



More information about the Babase mailing list