Skip site navigation (1) Skip section navigation (2)

pg_hba.conf "password" authentication broken?

From: Jim Mercer <jim(at)reptiles(dot)org>
To: pgsql-hackers(at)postgresql(dot)org
Subject: pg_hba.conf "password" authentication broken?
Date: 2001-03-31 00:51:12
Message-ID: 20010330195112.N29550@reptiles.org (view raw or flat)
Thread:
Lists: pgsql-hackers
if i use type "crypt", the backend assumes that the client is
handing it an already encrypted passwd, and then compares it to an encrypted
version of pg_shadow->passwd.

and if i use type "password filename", the backend assumes a clear text
password from the client, and then compares an encrypted version of that
to the normal contents of the second field of "filename".

however, if i use type "password", it just does a clear text comparison
of the password from the client and the password in pg_shadow.

attached are patches which allow for a special case type "password pg_shadow",
which similar to supplying a filename, actually encrypts the cleartext
password from the client, and compares it to the normal contents of pg_shadow.

this allows the storage of encrypted passwords in pg_shadow.

i was unable to determine any other way of not storing clear text passwords
in pg_shadow.

i implemented this in such a way that it will not impact existing
installations.

-- 
[ Jim Mercer          jim(at)pneumonoultramicroscopicsilicovolcanoconiosis(dot)ca ]
[          Reptilian Research -- Longer Life through Colder Blood          ]
[ aka                        jim(at)reptiles(dot)org              +1 416 410-5633 ]


*** auth.c.orig	Fri Mar 30 19:37:08 2001
--- auth.c	Fri Mar 30 19:28:20 2001
***************
*** 695,701 ****
  static int
  checkPassword(Port *port, char *user, char *password)
  {
! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0')
  		return verify_password(port->auth_arg, user, password);
  
  	return crypt_verify(port, user, password);
--- 695,702 ----
  static int
  checkPassword(Port *port, char *user, char *password)
  {
! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0'
! 			&& strcmp(port->auth_arg, "pg_shadow") != 0)
  		return verify_password(port->auth_arg, user, password);
  
  	return crypt_verify(port, user, password);
*** crypt.c.orig	Fri Mar 30 19:38:26 2001
--- crypt.c	Fri Mar 30 19:39:07 2001
***************
*** 280,287 ****
  	 * authentication method being used for this connection.
  	 */
  
! 	crypt_pwd =
! 		(port->auth_method == uaCrypt ? crypt(passwd, port->salt) : passwd);
  
  	if (!strcmp(pgpass, crypt_pwd))
  	{
--- 280,294 ----
  	 * authentication method being used for this connection.
  	 */
  
! 	if (port->auth_method == uaCrypt)
! 		crypt_pwd = crypt(passwd, port->salt);
! 	else
! 	{
! 		/* if port->auth_arg, encrypt password from client before compare */
! 		if (port->auth_arg[0] != 0)
! 			pgpass = crypt(pgpass, passwd);
! 		crypt_pwd = passwd;
! 	}
  
  	if (!strcmp(pgpass, crypt_pwd))
  	{

pgsql-hackers by date

Next:From: Thomas LockhartDate: 2001-03-31 00:57:04
Subject: Re: MacOS X OK, was: Call for platforms
Previous:From: Thomas LockhartDate: 2001-03-31 00:50:48
Subject: Re: Third call for platform testing (linux 2.4.x)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group