Re: [ADMIN] user auth & passwords - Mailing list pgsql-docs

From Bruce Momjian
Subject Re: [ADMIN] user auth & passwords
Date
Msg-id 199909281945.PAA26348@candle.pha.pa.us
Whole thread Raw
List pgsql-docs
Thomas, is this already in the docs?


> Jason Dillon wrote:
>   >For the life of me I can not find any substancial documentation on how to gi
>       >ve
>   >users passwords.  I have found the -a argument to many of the command line
>   >tools, but I can't seem to figure out what they do.  I have also played with
>   >pg_hba.conf, but this exercise has proved to be just as frustrating. I also
>   >tried to use "create user" via psql, but it too did little.
>   >
>   >I am trying to setup a database that will only allow users with the correct
>   >encrypted passwords to access the system.  It does not appear to me that the
>   >`createuser' tool has the ability to set user passwords.  I tryed creating
>   >users with different settings for -a <system> but this did not really do
>   >anything differently.
> 
> The man page says "this option no longer has any effect".
>   >
>   >When I changed the auth setting in pg_hba.conf from trust to crypt or
>   >password, I was unable to login with user postgres.  I had to set
>   >local back to trust to be able to do anything.
> Every account _requires_ a password.
>   >
>   >I would really apreciate it if someone who knows how to create passwords for
>   >users would drop some knowledge.  The lack of documentation is driving me nu
>       >ts.
> 
> I put this together a few days back:
> 
> =========================================================================
> 
> How to use clear or encrypted passwords for PostgreSQL access:
> =============================================================
> 
> Use lines such as
> 
>   local        all                password
>   host        192.137.23    255.255.255.0    crypt
> 
> in /etc/postgresql/pg_hba.conf; then you can use
> 
>    CREATE USER user WITH PASSWORD password...
> 
> to create a new user with the specified password, or
> 
>    ALTER USER user WITH PASSWORD password...
> 
> to change the password of an existing user.  Any user with create-user
> privilege can alter a password for any user, *INCLUDING* the postgres
> super-user.
> 
> If connecting with psql, use the -u option; the user is prompted for username
> and password.  If you don't use -u, the connection fails.
> 
> If using your own program with libpq, it is up to you to collect the user name
> and password from the user and send them to the backend with PQsetdbLogin().
> [How can one know, with libpq, whether this is necessary?]
> 
> Passwords are stored in pg_shadow in clear, but if `crypt' authentication is
> specified, the frontend encrypts the password with a random salt and
> the backend uses the same salt to encrypt the password in the database.
> If the two encrypted passwords match, the user is allowed access. If the
> authentication method is `password', the password is transmitted and
> compared in clear.
> 
> If passwords are turned on, it becomes impossible to connect as
> a user, if no password is defined for that user.  Neither can you use
> \connect to change user within psql.
> 
> <Debian-specific>
> If you turn on passwords for local, the default do.maintenance cron job
> will stop working, because it will not supply a username or password.
> In this case, you must alter /etc/cron.d/postgresql to supply the
> user and password for the postgres superuser, with the -u and -p options.
> It will then be necessary to change the permissions on /etc/cron.d/postgresql
> to make it readable by root only.
> </Debian-specific>
> 
> 
> Problems with password authentication
> =====================================
> 
> 1. There is no easy and secure way to automate access when passwords are
>    in use.  It would be good if the postgres super-user (as identified by
>    Unix on a Unix sockets connection) could bypass the authentication.
> 
> 2. pgaccess has no mechanism for specifying username and password. It cannot
>    be used if password/crypt authentication is turned on for host
>    connections from localhost.
> 
> 3. In general, passwords are insecure, because they are held in clear
>    in pg_shadow.  Anyone with create-user privilege can not only alter but
>    also read them.  They ought to be stored with one-way encryption, as
>    with the Unix password system.
> 
> 4. The postgres super-user's password can be changed by anyone with 
>    create-user privilege.  It ought to be the case that people can
>    only change their own passwords and that only the super-user can change
>    other peoples' passwords.
> 
> 5. If passwords are turned on, the -u option must be supplied to psql. If
>    it is not, psql merely says "Connection to database 'xxxx' failed.".  A
>    more helpful error message would be desirable.
> =========================================================================
> 
> -- 
> Oliver Elphick                                Oliver.Elphick@lfix.co.uk
> Isle of Wight                              http://www.lfix.co.uk/oliver
>                PGP key from public servers; key ID 32B8FAA1
>                  ========================================
>      "But without faith it is impossible to please him; for 
>       he that cometh to God must believe that he is, and 
>       that he is a rewarder of them that diligently seek 
>       him."       Hebrews 11:6 
> 
> 
> 
> 


--  Bruce Momjian                        |  http://www.op.net/~candle maillist@candle.pha.pa.us            |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-docs by date:

Previous
From: Bruce Momjian
Date:
Subject: New backend flowchart
Next
From: Thomas Lockhart
Date:
Subject: Re: [ADMIN] user auth & passwords