Thread: Differences in crypt hash?
Hi all, I am trying to figure out exactly what is going on with a client that I have just compiled for Solaris 2.7 I have compiled both 7.0.3 and 7.1.2, and neither gave me any obvious compilation errors, but I did note these interesting (relevant?) warnings: UX tsort: INFORM: cycle in data fe-connect.o fe-auth.o UX tsort: INFORM: cycle in data fe-exec.o fe-connect.o My Solaris client uses the three files: libpq-fe.h, postgres_ext.h, and libpq.a (nothing else). The problem is that my Solaris client does not authenticate against my server (7.0.3 built on FreeBSD). I added the following line to src/backend/libpq/crypt.c, function crypt_verify() for logging: fprintf(stderr, "crypt_verify: user='%s' pass='%s', crypt='%s'\n", user, pgpass, crypt_pwd); When my FreeBSD client connects, this logging prints success: crypt_verify: user='dtvuser' pass='$1$hI$eaByHtOxTYKOygT1.JMsU.', crypt='$1$hI$eaByHtOxTYKOygT1.JMsU.' crypt_verify: user='dtvuser' pass='$1$ZH$YGGYInw6oH0P29Ze6hlo.1', crypt='$1$ZH$YGGYInw6oH0P29Ze6hlo.1' When my Solaris client tries to connect, the hash is totally wrong: crypt_verify: user='dtvuser' pass='lBeX8.2tWJup.', crypt='$1$lB$ajOq8TJJdUAAyDZcSGDfM.' crypt_verify: user='dtvuser' pass='3HW/UXZhFVXhs', crypt='$1$3H$QzIURSP9F/v/nI5jFwwXn.' My FreeBSD client is apparently using a salted MD5 hash, where my Solaris client seems to be just throwing something else. Is there a configuration item I missed while compiling? Or is there a run-time option involved? Thanks for any insight into this! -Richard ------------------------------------------- Richard Hodges | Matriplex, inc. Product Manager | 769 Basque Way rh@matriplex.com | Carson City, NV 89706 775-886-6477 | www.matriplex.com
Richard Hodges <rh@matriplex.com> writes: > The problem is that my Solaris client does not authenticate against > my server (7.0.3 built on FreeBSD). Indeed, one of the nasty things about the 'crypt' authentication method is that it assumes the crypt() library call acts the same on both client and server machine. As you've just discovered, that ain't always so. There have been plans for some time to supersede our present password auth methods with something more secure and portable (probably MD5 double hashing at both ends). I think Vince V. is working on that, but I've not heard anything about it lately. You can read all about it in the pghackers mail archives if you care. In the meantime, you'll just have to use a different auth method. Plain "password" would work. (If you're concerned about someone sniffing your TCP connection, consider using SSL.) regards, tom lane
> Richard Hodges <rh@matriplex.com> writes: > > The problem is that my Solaris client does not authenticate against > > my server (7.0.3 built on FreeBSD). > > Indeed, one of the nasty things about the 'crypt' authentication method > is that it assumes the crypt() library call acts the same on both client > and server machine. As you've just discovered, that ain't always so. > > There have been plans for some time to supersede our present password > auth methods with something more secure and portable (probably MD5 > double hashing at both ends). I think Vince V. is working on that, > but I've not heard anything about it lately. You can read all about it > in the pghackers mail archives if you care. I am trying to get it done for 7.2. I have Vince's md5 code. I just need to plug it into the authentication code. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Sat, 4 Aug 2001, Bruce Momjian wrote: > > Richard Hodges <rh@matriplex.com> writes: > > > The problem is that my Solaris client does not authenticate against > > > my server (7.0.3 built on FreeBSD). > > > > Indeed, one of the nasty things about the 'crypt' authentication method > > is that it assumes the crypt() library call acts the same on both client > > and server machine. As you've just discovered, that ain't always so. > > > > There have been plans for some time to supersede our present password > > auth methods with something more secure and portable (probably MD5 > > double hashing at both ends). I think Vince V. is working on that, > > but I've not heard anything about it lately. You can read all about it > > in the pghackers mail archives if you care. > > I am trying to get it done for 7.2. I have Vince's md5 code. I just > need to plug it into the authentication code. Thanks for the info, Tom and Bruce. I'll just have to use cleartext passwords in the meantime :-( Yuck. All the best, -Richard ------------------------------------------- Richard Hodges | Matriplex, inc. Product Manager | 769 Basque Way rh@matriplex.com | Carson City, NV 89706 775-886-6477 | www.matriplex.com