Thread: Newbie confused about pg_hba/md5 and password field in PQsetdbLogin
Hello, I'm pretty new to PostgreSQL in general and even newer to libpq. I am trying to get a C program working (the authpgsql module in courier-imap) that uses PQsetdbLogin(). I've got 7.2.1 installed and running and have had no problem accessing it via JDBC. I have encrypted passwords in pg_shadow and have "md5" set for the AUTH_TYPE in pg_hba.conf. However, when using PQsetdbLogin the only way I could get a login to work was to use unencrypted passwords in pg_shadow and change pg_hba.conf to use "password" instead of "md5" for the database I want access to through authpgsql. Why is this? Do I somehow have to md5 the clear text password before calling PQsetdbLogin()? Does PQconnectdb() handle this and I should update the code? I feel that the client code should be unaware of the over the wire encryption method used and the encryption method of the password in pg_shadow but I may be way off base on the underlying issue. Thanks in advance for any information.
Sorry, this seems impossible: libpq's PQsetdbLogin() doesn't allow MD5 passwords? You shouldn't have to do anything special; it should just accept the password.PQconnectdb() has the same handling as PQsetdbLogin(). Is it possible your libpq version is older than 7.2.1? --------------------------------------------------------------------------- Scott Dunbar wrote: > Hello, > I'm pretty new to PostgreSQL in general and even newer to libpq. I am > trying to get a C program working (the authpgsql module in courier-imap) > that uses PQsetdbLogin(). I've got 7.2.1 installed and running and have > had no problem accessing it via JDBC. I have encrypted passwords in > pg_shadow and have "md5" set for the AUTH_TYPE in pg_hba.conf. However, > when using PQsetdbLogin the only way I could get a login to work was to > use unencrypted passwords in pg_shadow and change pg_hba.conf to use > "password" instead of "md5" for the database I want access to through > authpgsql. > > Why is this? Do I somehow have to md5 the clear text password before > calling PQsetdbLogin()? Does PQconnectdb() handle this and I should > update the code? I feel that the client code should be unaware of the > over the wire encryption method used and the encryption method of the > password in pg_shadow but I may be way off base on the underlying issue. > > Thanks in advance for any information. > > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
Bruce, Thanks for the information. On further testing I indeed cannot reproduce the issue with a standalone program, only with the authlib that I'm trying to get to work. I did learn that my thinking was wrong though. I thought the AUTH_TYPE in pg_hba.conf was for transport only, having nothing to do with the encryption used to encrypt passwords in pg_shadow. That does not appear to be the case as if you use md5 in your pg_shadow and just "password" in your pg_hba.conf file you'll get an error. I'll keep digging. I am confident that my libpg.so is correct as this is a new installation of everything. Thanks again for the feedback. Bruce Momjian wrote: >Sorry, this seems impossible: libpq's PQsetdbLogin() doesn't allow MD5 >passwords? You shouldn't have to do anything special; it should just >accept the password.PQconnectdb() has the same handling as >PQsetdbLogin(). > >Is it possible your libpq version is older than 7.2.1? > >--------------------------------------------------------------------------- > >Scott Dunbar wrote: > > >>Hello, >>I'm pretty new to PostgreSQL in general and even newer to libpq. I am >>trying to get a C program working (the authpgsql module in courier-imap) >>that uses PQsetdbLogin(). I've got 7.2.1 installed and running and have >>had no problem accessing it via JDBC. I have encrypted passwords in >>pg_shadow and have "md5" set for the AUTH_TYPE in pg_hba.conf. However, >>when using PQsetdbLogin the only way I could get a login to work was to >>use unencrypted passwords in pg_shadow and change pg_hba.conf to use >>"password" instead of "md5" for the database I want access to through >>authpgsql. >> >>Why is this? Do I somehow have to md5 the clear text password before >>calling PQsetdbLogin()? Does PQconnectdb() handle this and I should >>update the code? I feel that the client code should be unaware of the >>over the wire encryption method used and the encryption method of the >>password in pg_shadow but I may be way off base on the underlying issue. >> >>Thanks in advance for any information. >> >> >> >>---------------------------(end of broadcast)--------------------------- >>TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >> >> >> > > >
Well, if you store your passwords as encrypted in pg_shadow, then only MD5 will work for authentication. If you don't encrypt them, you can use any auth method like 'crypt' or 'password'. I don't know what authlib is, but it is very possible it doesn't have this md5 capability. --------------------------------------------------------------------------- Scott Dunbar wrote: > Bruce, > Thanks for the information. On further testing I indeed cannot > reproduce the issue with a standalone program, only with the authlib > that I'm trying to get to work. I did learn that my thinking was wrong > though. I thought the AUTH_TYPE in pg_hba.conf was for transport only, > having nothing to do with the encryption used to encrypt passwords in > pg_shadow. That does not appear to be the case as if you use md5 in > your pg_shadow and just "password" in your pg_hba.conf file you'll get > an error. > > I'll keep digging. I am confident that my libpg.so is correct as this > is a new installation of everything. > > Thanks again for the feedback. > > > Bruce Momjian wrote: > > >Sorry, this seems impossible: libpq's PQsetdbLogin() doesn't allow MD5 > >passwords? You shouldn't have to do anything special; it should just > >accept the password.PQconnectdb() has the same handling as > >PQsetdbLogin(). > > > >Is it possible your libpq version is older than 7.2.1? > > > >--------------------------------------------------------------------------- > > > >Scott Dunbar wrote: > > > > > >>Hello, > >>I'm pretty new to PostgreSQL in general and even newer to libpq. I am > >>trying to get a C program working (the authpgsql module in courier-imap) > >>that uses PQsetdbLogin(). I've got 7.2.1 installed and running and have > >>had no problem accessing it via JDBC. I have encrypted passwords in > >>pg_shadow and have "md5" set for the AUTH_TYPE in pg_hba.conf. However, > >>when using PQsetdbLogin the only way I could get a login to work was to > >>use unencrypted passwords in pg_shadow and change pg_hba.conf to use > >>"password" instead of "md5" for the database I want access to through > >>authpgsql. > >> > >>Why is this? Do I somehow have to md5 the clear text password before > >>calling PQsetdbLogin()? Does PQconnectdb() handle this and I should > >>update the code? I feel that the client code should be unaware of the > >>over the wire encryption method used and the encryption method of the > >>password in pg_shadow but I may be way off base on the underlying issue. > >> > >>Thanks in advance for any information. > >> > >> > >> > >>---------------------------(end of broadcast)--------------------------- > >>TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > >> > >> > >> > > > > > > > > > > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073