Re: [GENERAL] db_user_namespace, md5 and changing passwords

Bruce Momjian wrote:
> Magnus Hagander wrote:
> > >> Not sure I care enough to dive into what it would actually mean. My
> > >> guess is that it's very uncommon to use db_user_namespace in any of
> > >> these scenarios (in fact I think it's very uncommon to use it at all,
> > >> but even more uncommon in these cases)
> > >
> > > The documentation changes highlight that we are going to validate for
> > > most external authentications using the server username, so the external
> > > authentication has to be set up to use that server username. Were the
> > > docs not clear on that? Do I need a mention of db_user_namespace in the
> > > authentication docs?
> >
> > AFAICS, the changes only say MD5 doesn't work. I think it should be made
> > more clear.
> >
> > And yes, it probably makes sense to put it around the authentication
> > docs as well as a warning to people - that's where they'll go looking if
> > something doesn't work.
>
> OK, documentation updated stating that all authentication has to user
> the server username, and added a mention in the client-auth docs too.

Applied to CVS HEAD. Not sure if it should be backpatched so I didn't.
We do have two bug reports for 8.3 but none for earlier releases where
it was also broken.

---------------------------------------------------------------------------

>
> --
> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
> EnterpriseDB http://enterprisedb.com
>
> + If your life is a hard drive, Christ can be your backup. +

> Index: doc/src/sgml/client-auth.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
> retrieving revision 1.111
> diff -c -c -r1.111 client-auth.sgml
> *** doc/src/sgml/client-auth.sgml 18 Nov 2008 13:10:20 -0000 1.111
> --- doc/src/sgml/client-auth.sgml 20 Nov 2008 03:56:43 -0000
> ***************
> *** 702,707 ****
> --- 702,709 ----
> If you are at all concerned about password
> <quote>sniffing</> attacks then <literal>md5</> is preferred.
> Plain <literal>password</> should always be avoided if possible.
> + <literal>md5</> cannot be used with <xref
> + linkend="guc-db-user-namespace">.
> </para>
>
> <para>
> Index: doc/src/sgml/config.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
> retrieving revision 1.195
> diff -c -c -r1.195 config.sgml
> *** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195
> --- doc/src/sgml/config.sgml 20 Nov 2008 03:56:44 -0000
> ***************
> *** 706,711 ****
> --- 706,722 ----
> before the user name is looked up by the server.
> </para>
>
> + <para>
> + <varname>db_user_namespace</> causes the client's and
> + server's user name representation to differ.
> + Authentication checks are always done with the server's user name
> + so authentication methods must be configured for the
> + server's user name, not the client's. Because
> + <literal>md5</> uses the user name as salt on both the
> + client and server, <literal>md5</> cannot be used with
> + <varname>db_user_namespace</>.
> + </para>
> +
> <note>
> <para>
> This feature is intended as a temporary measure until a
> Index: src/backend/libpq/auth.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
> retrieving revision 1.171
> diff -c -c -r1.171 auth.c
> *** src/backend/libpq/auth.c 18 Nov 2008 13:10:20 -0000 1.171
> --- src/backend/libpq/auth.c 20 Nov 2008 03:56:44 -0000
> ***************
> *** 371,376 ****
> --- 371,380 ----
> break;
>
> case uaMD5:
> + if (Db_user_namespace)
> + ereport(FATAL,
> + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
> sendAuthRequest(port, AUTH_REQ_MD5);
> status = recv_and_check_password_packet(port);
> break;
> Index: src/backend/libpq/hba.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v
> retrieving revision 1.172
> diff -c -c -r1.172 hba.c
> *** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172
> --- src/backend/libpq/hba.c 20 Nov 2008 03:56:47 -0000
> ***************
> *** 846,852 ****
> --- 846,861 ----
> else if (strcmp(token, "reject") == 0)
> parsedline->auth_method = uaReject;
> else if (strcmp(token, "md5") == 0)
> + {
> + if (Db_user_namespace)
> + {
> + ereport(LOG,
> + (errcode(ERRCODE_CONFIG_FILE_ERROR),
> + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
> + return false;
> + }
> parsedline->auth_method = uaMD5;
> + }
> else if (strcmp(token, "pam") == 0)
> #ifdef USE_PAM
> parsedline->auth_method = uaPAM;

>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +