FATAL: Ident authentication failed for user "pg_username" with pg_ident.conf settings

Question

I have two DB servers located on host1 and host2, for example

Settings in pg_ident.conf on host2

# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
mymap           system_username        pg_username

Settings in pg_ident.conf on host1

# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
mymap           system_username        pg_username

Settings in pg_hba.conf on host1

# TYPE  DATABASE                USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
...
local   dbname                    pg_username                       peer map=mymap
....

host    dbname                    pg_username       all             ident map=mymap

Also I reloaded configuration:

select pg_reload_conf();

Then, i trying to connect on database (local connection) from host1

ssh system_username@host1
psql -p 5432 -U pg_username -d dbname

And it's working

But, when I try to connect on database (remote connection to host1) from host2

ssh system_username@host2
psql -h host1 -p 5432 -U pg_username -d dbname

I got the error

FATAL:  Ident authentication failed for user "pg_username" with pg_ident.conf settings

At the logs I have:

2023-12-07 11:01:47.062 +05 [26328-1] LOG:  could not connect to Ident server at address "host1", port 113: Connection refused
2023-12-07 11:01:47.062 +05 [26328-1] FATAL:  Ident authentication failed for user "pg_username"
2023-12-07 11:01:47.062 +05 [26328-1] DETAIL:  Connection matched pg_hba.conf line 104: "host   dbname                    pg_username       all             ident map=mymap"

What am I do wrong?

Answer 1

You probably didn't start the ident service.

Don't ever use ident authentication for remote connections. It is totally unsafe. With ident authentication, the PostgreSQL server asks the ident server on the client side about the identity of the user. So if you control the client machine, you can fake any identity you want. ident is only trustworthy if the client machine is trustworthy, and then you might as well use trust.

Imagine this dialog:

• Client: Let me in!
• Server: Client machine, what is the operating system user that made the connection request I just got?
• Ident server on the client machine: That is a totally trusted user.
• Server: Ok, cool, then you can connect without a password.

If you want password-less connections from a remote machine, use a secure authentication method that does not rely on a password, like TLS certificates.