| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Hiroshi Inoue <Inoue(at)tpf(dot)co(dot)jp> |
| Cc: | Terry Yapt <pgsql(at)technovell(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: passwords in pg_shadow (duplicate). |
| Date: | 2002-12-05 07:11:32 |
| Message-ID: | 200212050711.gB57BWC07813@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Good catch. Seems like a bug. I assumed we still want to support
'password' even though pg_shadow contains MD5 encrypted passwords. Is
that correct? (We can't support crypt in those cases.)
The following patch fixes this. I need to review it later, but we could
apply to 7.3.1. I assume there are still some interfaces that don't
support md5 or crypt and we will need this patch to continue supporting
them, though I am sure there are some out there that want 'password' to
go away.
---------------------------------------------------------------------------
Hiroshi Inoue wrote:
> Bruce Momjian wrote:
> >
> >
> > This is normal behavior. With 7.3, when you load your passwords into
> > the database, they are automatically converted to MD5 inside the
> > database. You can disable this in postgresql.conf using by changing
> > password_encryption _before_ you load your data into the database.
> >
> > The big trick is what ia in your pg_hba.conf file for the ODBC host. If
> > it is crypt, there is no way we can make those MD5 passwords match the
> > info coming from the client. However, I didn't think ODBC even did
> > crypt. Even though the server has MD5-encrypted password stored, the
> > 'password' pg_hba.conf method should still work because the server will
> > internally MD5 encrypt before comparing to pg_shadow, or at least it
> > should and worked in my testing.
>
> It doesn't work here and I see the following in src/libpq/crypt.c.
>
> /* If they encrypt their password, force MD5 */
> if (isMD5(passwd) && port->auth_method != uaMD5)
> {
> elog(LOG, "Password is stored MD5 encrypted. "
> "'password' and 'crypt' auth methods cannot be
> used.");
> return STATUS_ERROR;
> }
>
> As far as I see, 7.3 forces the use of md5 authentication
> implicitly rather than recommending it. Please document
> it clearly on the top of the main documents. Otherwise
> users would be confused pointlessly.
>
> regards,
> Hiroshi Inoue
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| Attachment | Content-Type | Size |
|---|---|---|
| unknown_filename | text/plain | 1.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shridhar Daithankar | 2002-12-05 07:16:09 | Re: Size for vacuum_mem |
| Previous Message | Justin Clift | 2002-12-05 07:03:05 | DbVisualizer and PG 7.3? |