Re: crypt vs password in pg_hba.conf - Mailing list pgsql-general

From Robert C. Paulsen Jr.
Subject Re: crypt vs password in pg_hba.conf
Date
Msg-id 20030615122211.GA26853@avalon.paulsen.org
Whole thread Raw
In response to Re: crypt vs password in pg_hba.conf  ("Nigel J. Andrews" <nandrews@investsystems.co.uk>)
List pgsql-general
On Sat, Jun 14, 2003 at 11:42:11PM +0100, Nigel J. Andrews wrote:
> On Sat, 14 Jun 2003, Robert C. Paulsen Jr. wrote:
>
> > I just compiled and installed version 7.3.3 and am having a problem with
> > encrypted logins.
> >
> > I built it using "--with-openssl" on the .configure command.
> >
> > All seemed to go OK during the build and install. I created a user with a
> > password and am able to connect with psql using the password if pg_hba.conf
+has
> > a line like this:
> >
> >         host all all 192.168.0.0 255.255.255.0 password
> >
> > but if I change that line to this:
> >
> >         host all all 192.168.0.0 255.255.255.0 crypt
>
> You need to tell postgresql that the password is to be encrypted when you set
> it.
>
> >
> > the connection fails with the message:
> >
> >         psql: FATAL:  Password authentication failed for user "robert"
>
> Because it is encrypting the password and comparing it against an unencrypted
> one.
>
> >
> > I am pretty sure I don't have the password wrong since I tried redoing it
> > several times using "ALTER USER".
>
> Check the syntax for the alter user statement, whereever it says you may use
> the word ENCRYPTED use it and you should then be able to use 'crypt' in the
> pg_hba.conf.
>

I'm using the Stones and Matthew book (Beginning Databases with
PostgreSQL) to learn and its description of the create and alter user
commands doesn't mention the "encrypted" option.  So, based on your
comments I looked at the online documentation and found the following
interesting comment regarding md5:

        This is the only method that allows encrypted passwords to be
        stored in pg_shadow.

So, for crypt it seems the "encrypted" option of create and alter user
should *not* be used.

There is also a statement in the docs saying that passwords will be
encrypted in pg_shadow even *without* the "encrypted" option if the
"password_encryption" server parameter is "true". According to comments
in postgresql.conf this defaults to "false" in 7.2 and "true" in 7.3 --
that would explain my problem!

So, I switched to md5 and all is now working.

--
Robert C. Paulsen, Jr.
robert@paulsenonline.net

pgsql-general by date:

Previous
From: Mike Mascari
Date:
Subject: Re: full featured alter table?
Next
From: Tino Wildenhain
Date:
Subject: Re: using sequences