3

I created an admin user with password in pgadmin4:

CREATE USER admin WITH
LOGIN
SUPERUSER
CREATEDB
CREATEROLE
INHERIT
REPLICATION
CONNECTION LIMIT -1
PASSWORD 'xxxxxx';

But I can login to the respective server with the admin user and any wrong password. I used psql command line to check if the user has been created, and it is. 

# SELECT usename FROM pg_user;
usename   
------------
 postgres
 xxxxxxxxxxx
 admin
 (3 rows)

I checked if I can login with the admin user and a wrong password through psql command line, and it worked...

Am I doing something wrong?

Pgadmin4 v1.1
Postgresql v9.6
Same problem on Centos 6.8 and macOSX 19.12.1

Romulus
  • 1,150
  • 3
  • 16
  • 26
  • 1
    If you observe the same problem with psql it's hardly a problem of pgAdmin4 like your title suggests. There are various ways to enable login without password, one of those is probably activated: http://stackoverflow.com/questions/15359348/run-batch-file-with-psql-command-without-password/15593100#15593100 – Erwin Brandstetter Nov 17 '16 at 03:20

1 Answers1

3

This is speculation, but it's educated speculation, as I encountered a similar issue.

If your pg_hba.conf file, I am pretty confident you have the admin user set up as "trust." This pretty much means it can log in from anywhere you specified, without a password.

If you change this to "md5," it should resolve the issue.

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             admin           <whatever>              trust

change to

host    all             admin           <whatever>              md5

Of course some of these fields may be different, depending on how you have the server set up, but you get the idea.

Hambone
  • 15,600
  • 8
  • 46
  • 69
  • 2
    Thanks @Hambone! That makes sense! The funny thing is that on all the blogs where is explaining you how to set up the posgresql server and the database is using METHOD 'trust' which creates confusion. – Romulus Nov 17 '16 at 09:50
  • 1
    I agree. We found this out quite by accident and had a huge security gap for nearly two years. We discovered it when an Excel spreadsheet with my username embedded in the connection string WORKED on someone else's PC with no password in the connection string. We started digging and learned about the `trust` setting. A big issue, but PostgreSQL has been so amazing it's hard to complain about an oversight that was probably mine to begin with – Hambone Nov 17 '16 at 14:55
  • True! But by default in the tutorials it should be set to md5. People used with other Database software get really confused. – Romulus Nov 17 '16 at 15:08
  • Thx! Btw, the "peer" option causes the same issue (wrong password) if the sys-username == pg-username – webdeb Feb 20 '17 at 00:45