Thread: md5 authentication working?

md5 authentication working?

From
Steve Bergman
Date:
Hi,

I'm getting ready to open up port 80 of my apache/pgsql server to the
world and am working on tightening up security.

I have password based authentication working with phpPgAdmin, and Apache
mod_auth_pgsql, as well as PHP.

However, when I set the authentication to md5:

local all all md5

in pg_hba.conf it just works.  Always.  It doesn't matter if I have
auth_PG_hash_type set to CRYPT in auth_pgsql.conf, or whether or not I:

alter user USERNAME with password PASSWORD

or

alter user USERNAME with encrypted password PASSWORD

No matter what I do, as long as the user and password are correct, it
works.  If I set the passwords differently, it correctly denies access.

Looking in /var/lib/pgsql/global/pg_pwd shows passwords with an md5
prefix and which are obviously encrypted.  In fact, even the users I
have not altered to use encrypted passwords have them.

I'm running Fedora Core 1 with the vendor provided 7.4.2-1 rpms, and
stock Fedora Core 1 apache and mod_auth_pgsql.  PHP is 5.0.0 from
php.net.

So, is my information old, and md5 is "just standard" now?  Or is
something else going on?

Thanks,
Steve Bergman




Re: md5 authentication working?

From
Tom Lane
Date:
Steve Bergman <steve@rueb.com> writes:
> So, is my information old, and md5 is "just standard" now?

It is default now.  I think you'd need to say ALTER USER u WITH
UNENCRYPTED PASSWORD 'foo' to push a cleartext password into pg_shadow.
(There may also still be a postgresql.conf setting that affects this,
but I'm too lazy to go look.)

            regards, tom lane