Re: [GENERAL] db_user_namespace, md5 and changing passwords - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
| Date | |
| Msg-id | 200811200358.mAK3weA23952@momjian.us Whole thread Raw |
| In response to | Re: [GENERAL] db_user_namespace, md5 and changing passwords (Magnus Hagander <magnus@hagander.net>) |
| Responses |
Re: [GENERAL] db_user_namespace, md5 and changing
passwords
|
| List | pgsql-hackers |
Magnus Hagander wrote: > >> Not sure I care enough to dive into what it would actually mean. My > >> guess is that it's very uncommon to use db_user_namespace in any of > >> these scenarios (in fact I think it's very uncommon to use it at all, > >> but even more uncommon in these cases) > > > > The documentation changes highlight that we are going to validate for > > most external authentications using the server username, so the external > > authentication has to be set up to use that server username. Were the > > docs not clear on that? Do I need a mention of db_user_namespace in the > > authentication docs? > > AFAICS, the changes only say MD5 doesn't work. I think it should be made > more clear. > > And yes, it probably makes sense to put it around the authentication > docs as well as a warning to people - that's where they'll go looking if > something doesn't work. OK, documentation updated stating that all authentication has to user the server username, and added a mention in the client-auth docs too. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/client-auth.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v retrieving revision 1.111 diff -c -c -r1.111 client-auth.sgml *** doc/src/sgml/client-auth.sgml 18 Nov 2008 13:10:20 -0000 1.111 --- doc/src/sgml/client-auth.sgml 20 Nov 2008 03:56:43 -0000 *************** *** 702,707 **** --- 702,709 ---- If you are at all concerned about password <quote>sniffing</> attacks then <literal>md5</> is preferred. Plain <literal>password</> should always be avoided if possible. + <literal>md5</> cannot be used with <xref + linkend="guc-db-user-namespace">. </para> <para> Index: doc/src/sgml/config.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v retrieving revision 1.195 diff -c -c -r1.195 config.sgml *** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195 --- doc/src/sgml/config.sgml 20 Nov 2008 03:56:44 -0000 *************** *** 706,711 **** --- 706,722 ---- before the user name is looked up by the server. </para> + <para> + <varname>db_user_namespace</> causes the client's and + server's user name representation to differ. + Authentication checks are always done with the server's user name + so authentication methods must be configured for the + server's user name, not the client's. Because + <literal>md5</> uses the user name as salt on both the + client and server, <literal>md5</> cannot be used with + <varname>db_user_namespace</>. + </para> + <note> <para> This feature is intended as a temporary measure until a Index: src/backend/libpq/auth.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v retrieving revision 1.171 diff -c -c -r1.171 auth.c *** src/backend/libpq/auth.c 18 Nov 2008 13:10:20 -0000 1.171 --- src/backend/libpq/auth.c 20 Nov 2008 03:56:44 -0000 *************** *** 371,376 **** --- 371,380 ---- break; case uaMD5: + if (Db_user_namespace) + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); sendAuthRequest(port, AUTH_REQ_MD5); status = recv_and_check_password_packet(port); break; Index: src/backend/libpq/hba.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v retrieving revision 1.172 diff -c -c -r1.172 hba.c *** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172 --- src/backend/libpq/hba.c 20 Nov 2008 03:56:47 -0000 *************** *** 846,852 **** --- 846,861 ---- else if (strcmp(token, "reject") == 0) parsedline->auth_method = uaReject; else if (strcmp(token, "md5") == 0) + { + if (Db_user_namespace) + { + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); + return false; + } parsedline->auth_method = uaMD5; + } else if (strcmp(token, "pam") == 0) #ifdef USE_PAM parsedline->auth_method = uaPAM;
pgsql-hackers by date: