Thread: Password authentication failure

Password authentication failure

From
"Paul Hart"
Date:
Hi all,

I'm currently running 7.1.2 on OpenBSD 2.9-current. I am attempting to
connect to a database over IP, so I have the following 'start' command
in my /etc/rc.local:

su postgres -c '/usr/local/pgsql/bin/pg_ctl -o "-i" -D /web/databases -l
\
/web/databases/logfile.log start > /dev/null'

Also, I have the following in my /web/databases/pg_hba.conf
('/web/databases' is set up as $PGDATA):

host         all         xxx.xxx.xx.0  255.255.255.0       crypt passwd

(obviously, the 'xxx.xxx.xx.0' is my host set.)

I have also created the file /web/databases/passwd which contains the
username/password pair I wish to use to connect to the database.

So, after all this, I have a jdbc connection URL of:

jdbc:postgresql://[my host]/[my db]

(as per the spec)

I also pass in the username and password that I set up using pg_passwd.


Of course, if it worked, I wouldn't have just written all of that :)

The JDBC driver claims "Password authentication failed for user 'XXXX'"

So, does anyone have any ideas?

Many Thanks,

Paul Hart


RE: Password authentication failure

From
"Paul Hart"
Date:
Okay, a little more digging later, and the plot thickens some:

I'm throwing an exception at line 170 in Connection.java, which suggests
that the response from the server is 'E'. That in and of itself is not
too interesting. What *is* interesting is that I have been denied access
even before the server asks for a password (the code to deal with that
is in lines 200-215 of the same method). This, to me, suggests that
something isn't happening right with regards the protocol matching in
the JDBC client. Or that I'm stupid, I'm willing to accept either
answer.

However, based on that, I would guess that the crypt() problem isn't it.

As for the postmaster log file, there is nothing special in there:

verify_password: password mismatch for 'XXXX'.
Password authentication failed for user 'XXXX'

The stack trace is below. Under that is some commentary on the initial
response I received (thank you!)

java.sql.SQLException: Password authentication failed for user 'XXXX'
     at org.postgresql.Connection.openConnection(Connection.java:170)
     at org.postgresql.Driver.connect(Driver.java:122)
     at java.sql.DriverManager.getConnection(DriverManager.java:517)
     at java.sql.DriverManager.getConnection(DriverManager.java:177)
[...]

Peter Eisentraut writes:
> > The JDBC driver claims "Password authentication failed for
> > user 'XXXX'"
>
> AFAIK, OpenBSD uses MD5 as the default crypt() algorithm,
> whereas the JDBC
> driver assumes the traditional DES-like method.  I suppose you have to
> hack either one to do otherwise.

Uhm... would that then mean that if I was on an OpenBSD machine as a
client (i.e. just running psql), I would be unable (at least without
massaging some code) to access a postgres instance on, say, a Solaris
box? That sounds *very* fishy to me.

Any chance we can have a standardized hashing function built into the
code? If you can't guarantee implementation at the OS level (or you make
false assumptions), there seems to be no other truly suitable
alternative.

Thanks,

Paul Hart


Re: Password authentication failure

From
Tom Lane
Date:
"Paul Hart" <paulhart@io.com> writes:
> The JDBC driver claims "Password authentication failed for user 'XXXX'"

There might be more info in the postmaster's logfile --- did you look?

            regards, tom lane

Re: Password authentication failure

From
Peter Eisentraut
Date:
Paul Hart writes:

> The JDBC driver claims "Password authentication failed for user 'XXXX'"

AFAIK, OpenBSD uses MD5 as the default crypt() algorithm, whereas the JDBC
driver assumes the traditional DES-like method.  I suppose you have to
hack either one to do otherwise.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter


Re: Password authentication failure

From
Tom Lane
Date:
"Paul Hart" <paulhart@io.com> writes:
> However, based on that, I would guess that the crypt() problem isn't it.
> As for the postmaster log file, there is nothing special in there:
> verify_password: password mismatch for 'XXXX'.

No, that tells us quite a lot: checking in the source code for that
message, I can see that the backend has received your username and
password, and has found the username in an external password file,
and has attempted to match your password against what was in the
password file.  And that match didn't work.  I think that crypt()
is exactly where your problem is.  Did you build the external
password file with pg_passwd, or manually?

> Uhm... would that then mean that if I was on an OpenBSD machine as a
> client (i.e. just running psql), I would be unable (at least without
> massaging some code) to access a postgres instance on, say, a Solaris
> box? That sounds *very* fishy to me.

If you use the crypt auth method (crypt on client side and send
that across the wire) then yes, the crypt algorithms offered by
client and server C libraries had better match.  However, AFAICT
you are not doing that.  In the regular passwd method what we are
assuming is that the crypt library routine linked into the
postmaster is the same one linked into pg_passwd, or whatever
program you use to maintain the flat password file.  Since these
are on the same machine it's not such a big assumption.

> Any chance we can have a standardized hashing function built into the
> code?

Are you volunteering?  There have been a couple of long discussions
on pghackers about a better password challenge protocol.  IIRC we
came up with a good-looking paper design, but there was a notable
lack of effort on actually making it happen.

            regards, tom lane