Postgres Pro
Downloads
Home   >   mailing lists

Thread: BUG #8628: md5 security hole

BUG #8628: md5 security hole

From
rob@northleaf.com
Date:
The following bug has been logged on the website:

Bug reference:      8628
Logged by:          Robert Nichols0n
Email address:      rob@northleaf.com
PostgreSQL version: 9.3.1
Operating system:   Ubuntu Desktop 64 bit
Description:

I am able to login without a password when the password field is null. If
the field is not null the functionality seems normal, I get rejected unless
the password is correct.  This makes password based login ridiculous.  Is
this a bug or designed in? I login with my own code (Qt based) or with
pgAdmin III and I find the same bug. Is it not possible to require a
password at login?


My pg_hba.conf is:
# TYPE  DATABASE        USER            ADDRESS                 METHOD


# "local" is for Unix domain socket connections only
#local   all             all                                       md5
# IPv4 local connections:
hostssl    all             all             127.0.0.1/32            md5
# IPv6 local connections:
#host    all             all             ::1/128                 trust


Thank you.

Re: BUG #8628: md5 security hole

From
Francisco Olarte
Date:
Hi Rob_

On Sun, Nov 24, 2013 at 5:49 PM,  <rob@northleaf.com> wrote:
> I am able to login without a password when the password field is null. If
> the field is not null the functionality seems normal, I get rejected unless
> the password is correct.  This makes password based login ridiculous.  Is
> this a bug or designed in? I login with my own code (Qt based) or with
> pgAdmin III and I find the same bug. Is it not possible to require a
> password at login?

I doubt a bug like that would have remain uncovered for a long time,
so this has a strong PEBKAC smell.

What do you mean by 'the password field' ? The only similar thing
which I would describe as a 'password field' in a databaseis the
pg_authid.rolpasswd column, which is described as 'Password (possibly
encrypted); null if none.', which would give something which could be
easily interpreted as what you are reporting, making the behaviour you
describe exactly the documented one and your report a misinterpreted
pilot error. Maybe if you add a little more detail and do a little
legwork before making such a strong statement someone can help you.

Regards.
     Francisco Olarte.

Re: BUG #8628: md5 security hole

From
Tom Lane
Date:
rob@northleaf.com writes:
> I am able to login without a password when the password field is null.

Works as expected for me.  Typically, when people complain that password
auth is unexpectedly letting them in, it's because the server isn't
actually using the pg_hba.conf setting they think it is (don't forget to
SIGHUP or restart the postmaster after editing that file), or they have
a ~/.pgpass file that's supplying the password for them.

            regards, tom lane