Thread: Problem - any password accepted
While experimenting just now, I seem to have found a weird problem with passwords, in that _anything_ I type in is accepted as a valid password. Here are the relevant bits of pg_hba.conf # Database administrative login by UNIX sockets local all postgres ident sameuser # TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all ident sameuser # IPv4 local connections: hostnossl junk olly 127.0.0.1/32 trust host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::1/128 md5 1. Unix socket access is fine - no password requested. olly@linda:~$ psql junk Welcome to psql 8.2.4, the PostgreSQL interactive terminal. 2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits the next host line, which specifies an md5 password. Whatever I type is accepted. junk=# \q olly@linda:~$ psql -h localhost junk Password: Welcome to psql 8.2.4, the PostgreSQL interactive terminal. junk=# select * from pg_shadow; usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig ----------+----------+-------------+----------+-----------+-------------------------------------+----------+----------- postgres | 10 | t | t | t | | | olly | 16384 | t | t | t | md5739e5b0ea17d0a2b9b58df4fad055a09 | | (2 rows) In the log I have: 2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res et by peer 2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly" but it has still let me in. -- Oliver Elphick olly@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA ======================================== Do you want to know God? http://www.lfix.co.uk/knowing_god.html
Oliver Elphick wrote: > While experimenting just now, I seem to have found a weird problem with > passwords, in that _anything_ I type in is accepted as a valid password. > > > Here are the relevant bits of pg_hba.conf > # TYPE DATABASE USER CIDR-ADDRESS METHOD > hostnossl junk olly 127.0.0.1/32 trust > host all all 127.0.0.1/32 md5 > 2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits > the next host line, which specifies an md5 password. Whatever I type is > accepted. > In the log I have: > 2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res > et by peer > 2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly" > > but it has still let me in. Is it not falling back to non-SSL access, and so letting you through with "trust"? With a libpq call you could set "sslmode", but I'm not sure if you can do that from the command-line. -- Richard Huxton Archonet Ltd
On Wed, May 30, 2007 at 05:58:24PM +0100, Oliver Elphick wrote: > While experimenting just now, I seem to have found a weird problem with > passwords, in that _anything_ I type in is accepted as a valid password. > # TYPE DATABASE USER CIDR-ADDRESS METHOD > # IPv4 local connections: > hostnossl junk olly 127.0.0.1/32 trust Looks to me you're matching this line ^^^ > 2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits > the next host line, which specifies an md5 password. Whatever I type is > accepted. When SSL fails, it retries as non-SSL. > In the log I have: > 2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res > et by peer > 2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly" Those lines are the failure of the SSL connection, the successful connection is just fine. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to litigate.
Attachment
On Wed, 2007-05-30 at 19:38 +0200, Martijn van Oosterhout wrote: > On Wed, May 30, 2007 at 05:58:24PM +0100, Oliver Elphick wrote: > > While experimenting just now, I seem to have found a weird problem with > > passwords, in that _anything_ I type in is accepted as a valid password. > > > # TYPE DATABASE USER CIDR-ADDRESS METHOD > > # IPv4 local connections: > > hostnossl junk olly 127.0.0.1/32 trust > > Looks to me you're matching this line ^^^ > > > 2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits > > the next host line, which specifies an md5 password. Whatever I type is > > accepted. > > When SSL fails, it retries as non-SSL. > > > In the log I have: > > 2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res > > et by peer > > 2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly" > > Those lines are the failure of the SSL connection, the successful > connection is just fine. I didn't realise it retried. Thanks -- Oliver Elphick olly@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA ======================================== Do you want to know God? http://www.lfix.co.uk/knowing_god.html
Richard Huxton <dev@archonet.com> writes:
> With a libpq call you could set "sslmode", but I'm not sure if you can
> do that from the command-line.
I think you can set it via a PGSSLMODE environment variable.
regards, tom lane