This will be fixed in 7.3.1. Attached is the patch, but changing to MD5
is perfereable.
---------------------------------------------------------------------------
Greg Kelley wrote:
> Folks,
>
> Just upgraded from 7.1.3 to 7.3 (using RPMs) and now none of the assigned
> users can login as before. Tried resetting passwords with 'ALTER USER XXX
> WITH PASSWORD='pwd' and it didn't help. pg_hba.conf listing follows:
>
>
> # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
>
> local all all
> password
> host all all 127.0.0.1 255.255.255.255 password
> host all all 192.168.1.0 255.255.255.0 password
> host all all 24.128.216.179 255.255.255.255 password
> host all all 217.33.127.174 255.255.255.248 password
>
> Had to set the first two lines to 'trust' to get apache/php to access data.
> Would like to have password protection working again, but can't figure out
> what's gone wrong. Any ideas appreciated, thanks.
>
> Rgds,
>
> ________________________
> Greg Kelley, IT Director
> Britannic Aviation, US and UK
> US Office:
> Pease Int'l Tradeport
> 68 New Hampshire Ave.
> Portsmouth, NH 03801
> 603.766.3005
> http://www.britannicaviation.com
> AOPA, EAA, SSA
> CFII SEL, MEL; Comm Glider
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: src/backend/libpq/crypt.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/crypt.c,v
retrieving revision 1.49
diff -c -c -r1.49 crypt.c
*** src/backend/libpq/crypt.c 4 Sep 2002 20:31:19 -0000 1.49
--- src/backend/libpq/crypt.c 5 Dec 2002 18:03:53 -0000
***************
*** 29,35 ****
int
! md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
{
char *passwd = NULL,
*valuntil = NULL,
--- 29,35 ----
int
! md5_crypt_verify(const Port *port, const char *user, char *pgpass)
{
char *passwd = NULL,
*valuntil = NULL,
***************
*** 37,42 ****
--- 37,43 ----
int retval = STATUS_ERROR;
List **line;
List *token;
+ char *crypt_pgpass = pgpass;
if ((line = get_user_line(user)) == NULL)
return STATUS_ERROR;
***************
*** 54,64 ****
if (passwd == NULL || *passwd == '\0')
return STATUS_ERROR;
! /* If they encrypt their password, force MD5 */
! if (isMD5(passwd) && port->auth_method != uaMD5)
{
elog(LOG, "Password is stored MD5 encrypted. "
! "'password' and 'crypt' auth methods cannot be used.");
return STATUS_ERROR;
}
--- 55,65 ----
if (passwd == NULL || *passwd == '\0')
return STATUS_ERROR;
! /* We can't do crypt with pg_shadow MD5 passwords */
! if (isMD5(passwd) && port->auth_method == uaCrypt)
{
elog(LOG, "Password is stored MD5 encrypted. "
! "'crypt' auth method cannot be used.");
return STATUS_ERROR;
}
***************
*** 72,77 ****
--- 73,79 ----
crypt_pwd = palloc(MD5_PASSWD_LEN + 1);
if (isMD5(passwd))
{
+ /* pg_shadow already encrypted, only do salt */
if (!EncryptMD5(passwd + strlen("md5"),
(char *) port->md5Salt,
sizeof(port->md5Salt), crypt_pwd))
***************
*** 82,87 ****
--- 84,90 ----
}
else
{
+ /* pg_shadow plain, double-encrypt */
char *crypt_pwd2 = palloc(MD5_PASSWD_LEN + 1);
if (!EncryptMD5(passwd, port->user, strlen(port->user),
***************
*** 110,120 ****
break;
}
default:
crypt_pwd = passwd;
break;
}
! if (strcmp(pgpass, crypt_pwd) == 0)
{
/*
* Password OK, now check to be sure we are not past valuntil
--- 113,134 ----
break;
}
default:
+ if (isMD5(passwd))
+ {
+ /* Encrypt user-supplied password to match MD5 in pg_shadow */
+ crypt_pgpass = palloc(MD5_PASSWD_LEN + 1);
+ if (!EncryptMD5(pgpass, port->user, strlen(port->user),
+ crypt_pgpass))
+ {
+ pfree(crypt_pgpass);
+ return STATUS_ERROR;
+ }
+ }
crypt_pwd = passwd;
break;
}
! if (strcmp(crypt_pgpass, crypt_pwd) == 0)
{
/*
* Password OK, now check to be sure we are not past valuntil
***************
*** 136,141 ****
--- 150,157 ----
if (port->auth_method == uaMD5)
pfree(crypt_pwd);
+ if (crypt_pgpass != pgpass)
+ pfree(crypt_pgpass);
return retval;
}
Index: src/include/libpq/crypt.h
===================================================================
RCS file: /cvsroot/pgsql-server/src/include/libpq/crypt.h,v
retrieving revision 1.22
diff -c -c -r1.22 crypt.h
*** src/include/libpq/crypt.h 4 Sep 2002 20:31:42 -0000 1.22
--- src/include/libpq/crypt.h 5 Dec 2002 18:03:54 -0000
***************
*** 23,29 ****
extern int md5_crypt_verify(const Port *port, const char *user,
! const char *pgpass);
extern bool md5_hash(const void *buff, size_t len, char *hexsum);
extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
--- 23,29 ----
extern int md5_crypt_verify(const Port *port, const char *user,
! char *pgpass);
extern bool md5_hash(const void *buff, size_t len, char *hexsum);
extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
