Thread: wrong password accepted

wrong password accepted

From

Raphael Bauduin

Date:

29 August 2003, 13:13:43

Hi,

this is a strange situation I just discovered on a postgresql
7.2.1-2woody2 (Debian as you can see...). I use pg_hba to specify
password ahtentications for clients. HEre's the line:
host         all         127.0.0.1    255.255.255.0       password  pass-file

I just discovered that when I use the correct password to whach I append
text, it is accepted (though this is not correct...)
For example, if my password is postgres, the following will also be
accepted: postgresql, postgresblabla, postgres2 ...... but it will
reject postgrex eg.

I couldn't reproduce it with postgres 7.3 (self compiled, the problem
above happens with the standard Debian package), but 7.3 doesn't seem to
use a file to store the password (didn't have time to look a lot at 7.3 :(.

Is this a known problem? Did I miss the answer when I browsed the web
and mail archives?

Thanks for your help.

Raph

Re: wrong password accepted

From

Sam Barnett-Cormack

Date:

29 August 2003, 13:18:56

On Fri, 29 Aug 2003, Raphael Bauduin wrote:

> Hi,
>
> this is a strange situation I just discovered on a postgresql
> 7.2.1-2woody2 (Debian as you can see...). I use pg_hba to specify
> password ahtentications for clients. HEre's the line:
> host         all         127.0.0.1    255.255.255.0       password  pass-file
>
> I just discovered that when I use the correct password to whach I append
> text, it is accepted (though this is not correct...)
> For example, if my password is postgres, the following will also be
> accepted: postgresql, postgresblabla, postgres2 ...... but it will
> reject postgrex eg.

If the password mechanism uses standard crypt() passwords, then only the
first eight letters count. It just happens that postgres is eight
letters long.

This has been a public service educated guess.

--

Sam Barnett-Cormack
Software Developer                           |  Student of Physics & Maths
UK Mirror Service (http://www.mirror.ac.uk)  |  Lancaster University

Re: wrong password accepted

From

Raphael Bauduin

Date:

29 August 2003, 15:27:44

On Fri, Aug 29, 2003 at 02:22:07PM +0100, Sam Barnett-Cormack wrote:
>
> On Fri, 29 Aug 2003, Raphael Bauduin wrote:
>
> > Hi,
> >
> > this is a strange situation I just discovered on a postgresql
> > 7.2.1-2woody2 (Debian as you can see...). I use pg_hba to specify
> > password ahtentications for clients. HEre's the line:
> > host         all         127.0.0.1    255.255.255.0       password  pass-file
> >
> > I just discovered that when I use the correct password to whach I append
> > text, it is accepted (though this is not correct...)
> > For example, if my password is postgres, the following will also be
> > accepted: postgresql, postgresblabla, postgres2 ...... but it will
> > reject postgrex eg.
>
> If the password mechanism uses standard crypt() passwords, then only the
> first eight letters count. It just happens that postgres is eight
> letters long.
>
> This has been a public service educated guess.

It seems this was a good guess. Thanks for this simple and efficient
answer! :-)

Raph