pg_hba.conf and Administrator's Guide, 8. Security, User Authentication, Host-Based Access Control

Name : Oleg Katsitadze
Email address: geol(at)cit(dot)sf(dot)ukrtel(dot)net

Short description of the problem
--------------------------------
Misleading description of `crypt' user authentication method in
pg_hba.conf.

Difference between `crypt' and `password' authentication methods is
(probably) not intuitively discernable in Administrator's Guide.

System configuration
--------------------
Architecture: Intel Pentium MMX

Operating System: Linux 2.4.2-2 (Red Hat Linux release 7.1
Seawolf)

PostgreSQL version: PostgreSQL-7.0.3

Compiler used: gcc 2.96

Detailed description of the problem
-----------------------------------
Default pg_hba.conf in /usr/local/pgsql/data contains the following
description
of `password' and `crypt' authentication methods:

# password: Authentication is done by matching a password supplied
# in clear by the host. If AUTH_ARGUMENT is specified then
# the password is compared with the user's entry in that
# file (in the $PGDATA directory). See pg_passwd(1). If it
# is omitted then the password is compared with the user's
# entry in the pg_shadow table.
#
# crypt: Same as 'password', but authentication is done by
# encrypting the password sent over the network.

This may cause confusion for a new user since `crypt' authentication
type is
NOT the same as `password' as it does not look up password file even if
provided
as AUTH_ARGUMENT. A simple note might be in place for `crypt':

# crypt: Same as 'password', but authentication is done by
# encrypting the password sent over the network. Note:
unlike
# 'password', 'crypt' does not use password file; password
lookup
# is always done in pg_shadow table.

Actually, this behavior can be inferred from Administrator's
Guide, 8. Security, User Authentication, Host-Based Access Control,
which reads:

crypt
The client is asked for a password for the user. This is
sent
encrypted (using crypt(3)) and compared against the
password
held in the pg_shadow table. If the passwords match,
the
connection is allowed.

password
The client is asked for a password for the user. This is
sent
in clear and compared against the password held in
the
pg_shadow table. If the passwords match, the connection
is
allowed. An optional password file may be specified after
the
password keyword which is used to match the supplied
password
rather than the pg_shadow table. See pg_passwd.

It may be more convenient for a reader if description of `crypt' method
would stress out that password file is not being looked up. In any
case, it
will save some hasty readers (like me) several minutes of trying to
configure
`crypt' with a password file, and then coming back to the documentation
to
figure out that `crypt' does not use it.

Thanks,
Oleg