Re: [GENERAL] db_user_namespace, md5 and changing passwords - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
| Date | |
| Msg-id | 200811202106.mAKL6nW02434@momjian.us Whole thread Raw |
| In response to | Re: [GENERAL] db_user_namespace, md5 and changing passwords (Bruce Momjian <bruce@momjian.us>) |
| List | pgsql-hackers |
Bruce Momjian wrote: > Magnus Hagander wrote: > > >> Not sure I care enough to dive into what it would actually mean. My > > >> guess is that it's very uncommon to use db_user_namespace in any of > > >> these scenarios (in fact I think it's very uncommon to use it at all, > > >> but even more uncommon in these cases) > > > > > > The documentation changes highlight that we are going to validate for > > > most external authentications using the server username, so the external > > > authentication has to be set up to use that server username. Were the > > > docs not clear on that? Do I need a mention of db_user_namespace in the > > > authentication docs? > > > > AFAICS, the changes only say MD5 doesn't work. I think it should be made > > more clear. > > > > And yes, it probably makes sense to put it around the authentication > > docs as well as a warning to people - that's where they'll go looking if > > something doesn't work. > > OK, documentation updated stating that all authentication has to user > the server username, and added a mention in the client-auth docs too. Applied to CVS HEAD. Not sure if it should be backpatched so I didn't. We do have two bug reports for 8.3 but none for earlier releases where it was also broken. --------------------------------------------------------------------------- > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > Index: doc/src/sgml/client-auth.sgml > =================================================================== > RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v > retrieving revision 1.111 > diff -c -c -r1.111 client-auth.sgml > *** doc/src/sgml/client-auth.sgml 18 Nov 2008 13:10:20 -0000 1.111 > --- doc/src/sgml/client-auth.sgml 20 Nov 2008 03:56:43 -0000 > *************** > *** 702,707 **** > --- 702,709 ---- > If you are at all concerned about password > <quote>sniffing</> attacks then <literal>md5</> is preferred. > Plain <literal>password</> should always be avoided if possible. > + <literal>md5</> cannot be used with <xref > + linkend="guc-db-user-namespace">. > </para> > > <para> > Index: doc/src/sgml/config.sgml > =================================================================== > RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v > retrieving revision 1.195 > diff -c -c -r1.195 config.sgml > *** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195 > --- doc/src/sgml/config.sgml 20 Nov 2008 03:56:44 -0000 > *************** > *** 706,711 **** > --- 706,722 ---- > before the user name is looked up by the server. > </para> > > + <para> > + <varname>db_user_namespace</> causes the client's and > + server's user name representation to differ. > + Authentication checks are always done with the server's user name > + so authentication methods must be configured for the > + server's user name, not the client's. Because > + <literal>md5</> uses the user name as salt on both the > + client and server, <literal>md5</> cannot be used with > + <varname>db_user_namespace</>. > + </para> > + > <note> > <para> > This feature is intended as a temporary measure until a > Index: src/backend/libpq/auth.c > =================================================================== > RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v > retrieving revision 1.171 > diff -c -c -r1.171 auth.c > *** src/backend/libpq/auth.c 18 Nov 2008 13:10:20 -0000 1.171 > --- src/backend/libpq/auth.c 20 Nov 2008 03:56:44 -0000 > *************** > *** 371,376 **** > --- 371,380 ---- > break; > > case uaMD5: > + if (Db_user_namespace) > + ereport(FATAL, > + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), > + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); > sendAuthRequest(port, AUTH_REQ_MD5); > status = recv_and_check_password_packet(port); > break; > Index: src/backend/libpq/hba.c > =================================================================== > RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v > retrieving revision 1.172 > diff -c -c -r1.172 hba.c > *** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172 > --- src/backend/libpq/hba.c 20 Nov 2008 03:56:47 -0000 > *************** > *** 846,852 **** > --- 846,861 ---- > else if (strcmp(token, "reject") == 0) > parsedline->auth_method = uaReject; > else if (strcmp(token, "md5") == 0) > + { > + if (Db_user_namespace) > + { > + ereport(LOG, > + (errcode(ERRCODE_CONFIG_FILE_ERROR), > + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); > + return false; > + } > parsedline->auth_method = uaMD5; > + } > else if (strcmp(token, "pam") == 0) > #ifdef USE_PAM > parsedline->auth_method = uaPAM; > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
pgsql-hackers by date: