Thread: password method in pg_hba.conf fails

password method in pg_hba.conf fails

From

Emmanuel Dreyfus

Date:

04 March 2003, 19:02:51

Hello everybody

I just upgraded from 7.2.2 to 7.3.2, and I this upgrade broke the way I
handled authentication.

I had an external password file ~pgsql/data/pg_passwd with lines like this:
guest:OgP29.PYhgA

~pg_hba.conf/data/ contains entries like this (I had to add one field when
upgrading to 7.3.2, the beast complaining about it)
local   all        guest   trust
local   template1       all     password        pg_passwd
local   dirdb   all     password        pg_passwd

Then I try to login. I get this:
$ psql -U pgsql dirdb
Password:
psql: FATAL:  Password authentication failed for user "pgsql"

ktrace'ing the postgres process (I'm running on NetBSD) shows that it never
try to open ~pgsql/data/pg_passwd.

What turned wrong?

--
Emmanuel Dreyfus
manu@netbsd.org

Re: password method in pg_hba.conf fails

From

Tom Lane

Date:

05 March 2003, 11:10:30

manu@netbsd.org (Emmanuel Dreyfus) writes:
>> We do not support external password files anymore.  Sorry.

> What is the benefit of throwing away this feature?

I don't recall the reasoning.  You can dig through the pghackers mailing
list archives if you want to see the discussion.

            regards, tom lane

Re: password method in pg_hba.conf fails

From

Tom Lane

Date:

05 March 2003, 13:15:33

Emmanuel Dreyfus <manu@netbsd.org> writes:
> I had an external password file ~pgsql/data/pg_passwd with lines like this:
> guest:OgP29.PYhgA

We do not support external password files anymore.  Sorry.

            regards, tom lane

Re: password method in pg_hba.conf fails

From

Bruce Momjian

Date:

06 March 2003, 23:56:21

Tom Lane wrote:
> manu@netbsd.org (Emmanuel Dreyfus) writes:
> >> We do not support external password files anymore.  Sorry.
>
> > What is the benefit of throwing away this feature?
>
> I don't recall the reasoning.  You can dig through the pghackers mailing
> list archives if you want to see the discussion.

The issue is that no one was using it, or at least we thought so, and it
could only use crypt, while MD5 is better because it allows random salt
to be added to the over-the-wire password transfer.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: password method in pg_hba.conf fails

From

Tom Lane

Date:

07 March 2003, 12:39:08

manu@netbsd.org (Emmanuel Dreyfus) writes:
> I now need to store the
> PostgreSQL superuser password in cleartext in a shell script.

The new ~/.pgpass mechanism should help with that.

> I'm ready to work on patches to re-introduce the feature, would you
> accept them?

No.  We are trying to get away from using crypt(), mainly because it's
not very portable (and not even very secure these days).  And the
secondary-password-file mechanism was never anything more than a kluge
anyway.  If you want your database users to be actual Unix system users,
why not just check them directly against /etc/passwd?

> I thought about implementing a PAM for this, since 7.3 supports
> PAM. What do you think about it?

The whole point of PAM is to allow installation-local authentication
methods, so you could easily set up something that checks a password
against /etc/passwd if you like.  (There is surely such a PAM module
out there already, I'd expect, so look before you write.)

If your OS supports it, you might also want to consider using
Unix-socket-IDENT authentication, and forget passwords altogether.

            regards, tom lane

Re: password method in pg_hba.conf fails

From

Bruce Momjian

Date:

07 March 2003, 17:22:46

Tom Lane wrote:
> > I thought about implementing a PAM for this, since 7.3 supports
> > PAM. What do you think about it?
>
> The whole point of PAM is to allow installation-local authentication
> methods, so you could easily set up something that checks a password
> against /etc/passwd if you like.  (There is surely such a PAM module
> out there already, I'd expect, so look before you write.)
>
> If your OS supports it, you might also want to consider using
> Unix-socket-IDENT authentication, and forget passwords altogether.

Right. If you are using unix socket, they have already logged in, and
'local ident' allow you to know for sure who is on the other end of the
socket.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: password method in pg_hba.conf fails

From

Bruce Momjian

Date:

07 March 2003, 18:27:47

Emmanuel Dreyfus wrote:
> > If your OS supports it, you might also want to consider using
> > Unix-socket-IDENT authentication, and forget passwords altogether.
>
> Most of the story is going on through httpd, so this won't help, the
> user is www, whatever the real user is.
>
> However, last time I checked, UNIX socket ident was not available on
> NetBSD. I'll really have to add support for this some day.

It has been available for NetBSD since 7.2.  OpenBSD is only added in 7.4.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073