Thread: BUG #8628: md5 security hole
The following bug has been logged on the website: Bug reference: 8628 Logged by: Robert Nichols0n Email address: rob@northleaf.com PostgreSQL version: 9.3.1 Operating system: Ubuntu Desktop 64 bit Description: I am able to login without a password when the password field is null. If the field is not null the functionality seems normal, I get rejected unless the password is correct. This makes password based login ridiculous. Is this a bug or designed in? I login with my own code (Qt based) or with pgAdmin III and I find the same bug. Is it not possible to require a password at login? My pg_hba.conf is: # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only #local all all md5 # IPv4 local connections: hostssl all all 127.0.0.1/32 md5 # IPv6 local connections: #host all all ::1/128 trust Thank you.
Hi Rob_ On Sun, Nov 24, 2013 at 5:49 PM, <rob@northleaf.com> wrote: > I am able to login without a password when the password field is null. If > the field is not null the functionality seems normal, I get rejected unless > the password is correct. This makes password based login ridiculous. Is > this a bug or designed in? I login with my own code (Qt based) or with > pgAdmin III and I find the same bug. Is it not possible to require a > password at login? I doubt a bug like that would have remain uncovered for a long time, so this has a strong PEBKAC smell. What do you mean by 'the password field' ? The only similar thing which I would describe as a 'password field' in a databaseis the pg_authid.rolpasswd column, which is described as 'Password (possibly encrypted); null if none.', which would give something which could be easily interpreted as what you are reporting, making the behaviour you describe exactly the documented one and your report a misinterpreted pilot error. Maybe if you add a little more detail and do a little legwork before making such a strong statement someone can help you. Regards. Francisco Olarte.
rob@northleaf.com writes: > I am able to login without a password when the password field is null. Works as expected for me. Typically, when people complain that password auth is unexpectedly letting them in, it's because the server isn't actually using the pg_hba.conf setting they think it is (don't forget to SIGHUP or restart the postmaster after editing that file), or they have a ~/.pgpass file that's supplying the password for them. regards, tom lane