Re: Login Failures After Upgrade - Mailing list pgsql-general
| From | Bruce Momjian |
|---|---|
| Subject | Re: Login Failures After Upgrade |
| Date | |
| Msg-id | 200212161946.gBGJkdq03926@candle.pha.pa.us Whole thread Raw |
| In response to | Login Failures After Upgrade ("Greg Kelley" <gkelley@britannicaviation.com>) |
| List | pgsql-general |
This will be fixed in 7.3.1. Attached is the patch, but changing to MD5 is perfereable. --------------------------------------------------------------------------- Greg Kelley wrote: > Folks, > > Just upgraded from 7.1.3 to 7.3 (using RPMs) and now none of the assigned > users can login as before. Tried resetting passwords with 'ALTER USER XXX > WITH PASSWORD='pwd' and it didn't help. pg_hba.conf listing follows: > > > # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD > > local all all > password > host all all 127.0.0.1 255.255.255.255 password > host all all 192.168.1.0 255.255.255.0 password > host all all 24.128.216.179 255.255.255.255 password > host all all 217.33.127.174 255.255.255.248 password > > Had to set the first two lines to 'trust' to get apache/php to access data. > Would like to have password protection working again, but can't figure out > what's gone wrong. Any ideas appreciated, thanks. > > Rgds, > > ________________________ > Greg Kelley, IT Director > Britannic Aviation, US and UK > US Office: > Pease Int'l Tradeport > 68 New Hampshire Ave. > Portsmouth, NH 03801 > 603.766.3005 > http://www.britannicaviation.com > AOPA, EAA, SSA > CFII SEL, MEL; Comm Glider > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 Index: src/backend/libpq/crypt.c =================================================================== RCS file: /cvsroot/pgsql-server/src/backend/libpq/crypt.c,v retrieving revision 1.49 diff -c -c -r1.49 crypt.c *** src/backend/libpq/crypt.c 4 Sep 2002 20:31:19 -0000 1.49 --- src/backend/libpq/crypt.c 5 Dec 2002 18:03:53 -0000 *************** *** 29,35 **** int ! md5_crypt_verify(const Port *port, const char *user, const char *pgpass) { char *passwd = NULL, *valuntil = NULL, --- 29,35 ---- int ! md5_crypt_verify(const Port *port, const char *user, char *pgpass) { char *passwd = NULL, *valuntil = NULL, *************** *** 37,42 **** --- 37,43 ---- int retval = STATUS_ERROR; List **line; List *token; + char *crypt_pgpass = pgpass; if ((line = get_user_line(user)) == NULL) return STATUS_ERROR; *************** *** 54,64 **** if (passwd == NULL || *passwd == '\0') return STATUS_ERROR; ! /* If they encrypt their password, force MD5 */ ! if (isMD5(passwd) && port->auth_method != uaMD5) { elog(LOG, "Password is stored MD5 encrypted. " ! "'password' and 'crypt' auth methods cannot be used."); return STATUS_ERROR; } --- 55,65 ---- if (passwd == NULL || *passwd == '\0') return STATUS_ERROR; ! /* We can't do crypt with pg_shadow MD5 passwords */ ! if (isMD5(passwd) && port->auth_method == uaCrypt) { elog(LOG, "Password is stored MD5 encrypted. " ! "'crypt' auth method cannot be used."); return STATUS_ERROR; } *************** *** 72,77 **** --- 73,79 ---- crypt_pwd = palloc(MD5_PASSWD_LEN + 1); if (isMD5(passwd)) { + /* pg_shadow already encrypted, only do salt */ if (!EncryptMD5(passwd + strlen("md5"), (char *) port->md5Salt, sizeof(port->md5Salt), crypt_pwd)) *************** *** 82,87 **** --- 84,90 ---- } else { + /* pg_shadow plain, double-encrypt */ char *crypt_pwd2 = palloc(MD5_PASSWD_LEN + 1); if (!EncryptMD5(passwd, port->user, strlen(port->user), *************** *** 110,120 **** break; } default: crypt_pwd = passwd; break; } ! if (strcmp(pgpass, crypt_pwd) == 0) { /* * Password OK, now check to be sure we are not past valuntil --- 113,134 ---- break; } default: + if (isMD5(passwd)) + { + /* Encrypt user-supplied password to match MD5 in pg_shadow */ + crypt_pgpass = palloc(MD5_PASSWD_LEN + 1); + if (!EncryptMD5(pgpass, port->user, strlen(port->user), + crypt_pgpass)) + { + pfree(crypt_pgpass); + return STATUS_ERROR; + } + } crypt_pwd = passwd; break; } ! if (strcmp(crypt_pgpass, crypt_pwd) == 0) { /* * Password OK, now check to be sure we are not past valuntil *************** *** 136,141 **** --- 150,157 ---- if (port->auth_method == uaMD5) pfree(crypt_pwd); + if (crypt_pgpass != pgpass) + pfree(crypt_pgpass); return retval; } Index: src/include/libpq/crypt.h =================================================================== RCS file: /cvsroot/pgsql-server/src/include/libpq/crypt.h,v retrieving revision 1.22 diff -c -c -r1.22 crypt.h *** src/include/libpq/crypt.h 4 Sep 2002 20:31:42 -0000 1.22 --- src/include/libpq/crypt.h 5 Dec 2002 18:03:54 -0000 *************** *** 23,29 **** extern int md5_crypt_verify(const Port *port, const char *user, ! const char *pgpass); extern bool md5_hash(const void *buff, size_t len, char *hexsum); extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed); --- 23,29 ---- extern int md5_crypt_verify(const Port *port, const char *user, ! char *pgpass); extern bool md5_hash(const void *buff, size_t len, char *hexsum); extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
pgsql-general by date: