Thread: pg_shadow.passwd versus pg_hba.conf password passwd
Re-Sending due to rejection after subscribing, before confirming. Sorry if two make it through... Background: Trying to use a Cobalt box that has PostgreSQL pre-installed. I can change localhost "crypt" to "trust" in pg_hba.conf, but I don't really want to do that long-term. If I'm reading "man pg_passwd" correctly, I can create a standard Un*x passwd file and use that with "password" in pg_hba.conf However, the current installation seems to be using "crypt", with no passwd file, and with unencrypted passwords in the pg_shadow.passwd field -- Or, at least, as far as I can tell, since /etc/.meta.id has the same text as the admin's pg_shadow.passwd field. So, my question is, what is the "passwd" field in pg_shadow for?... Is that where an unencrypted password would be stored if I used "password" rather than "crypt"?... That seems the exact opposite of the reality on this box. Or can I get pg_hba.conf to just use that field somehow with "crypt"? If I *cannot* use pg_shadow.passwd for the encrypted password, and I use standard Un*x passwd file, does create_user know enough with -P to fill that in properly, or am I on my own?... How is Cobalt getting this to work with "localhost all crypt" in pg_hba.conf, but the password does not seem to be encrypted: /etc/.meta.id is plaintext of pg_shadow.passwd, and there is no obvious passwd file, so where's the crypt? I've installed PostgreSQL before, and all this stuff just worked somehow. :-^ I'm reading all the docs I can find, but interpreting them correctly is another matter :-) Please Cc: me, as I'm not really active on this list...
Richard Lynch writes: > If I'm reading "man pg_passwd" correctly, I can create a standard > Un*x passwd file and use that with "password" in pg_hba.conf Correct. > However, the current installation seems to be using "crypt", with no > passwd file, and with unencrypted passwords in the pg_shadow.passwd > field I don't know what your current installation is, but that is definitely a possible scenario. > -- Or, at least, as far as I can tell, since /etc/.meta.id has > the same text as the admin's pg_shadow.passwd field. The file /etc/.meta.id is not used by PostgreSQL as distributed. > So, my question is, what is the "passwd" field in pg_shadow for?... If you don't use the extra argument after "password" in pg_hba.conf then that's where the password comes from. > Is that where an unencrypted password would be stored if I used > "password" rather than "crypt"?... "password" vs "crypt" is only related to what goes over the wire, not where the password comes from. > That seems the exact opposite of the reality on this box. Or can I > get pg_hba.conf to just use that field somehow with "crypt"? Crypt with password file is not possible, I'm afraid. > If I *cannot* use pg_shadow.passwd for the encrypted password, You can. You *are*, AFAICT. > and I use standard Un*x passwd file, does create_user know enough with > -P to fill that in properly, or am I on my own?... > > How is Cobalt getting this to work with "localhost all crypt" in > pg_hba.conf, but the password does not seem to be encrypted: > /etc/.meta.id is plaintext of pg_shadow.passwd, and there is no > obvious passwd file, so where's the crypt? On the wire. -- Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/