From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Fernando Moreno <azazel(dot)7(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
Subject: | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
Date: | 2008-11-13 14:48:17 |
Message-ID: | 491C3E31.90400@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Bruce Momjian wrote:
> Magnus Hagander wrote:
>>> I have developed the attached patch, which documents the inability to
>>> use MD5 with db_user_namespace, and throws an error when it is used:
>>>
>>> psql: FATAL: MD5 authentication is not supported when "db_user_namespace" is enabled
>> IMHO it would be much nicer to detect this when we load pg_hba.conf.
>> It's easy to do these days :-P
>>
>> I don't think we need to worry about the "changed postgresql.conf after
>> we changed pg_hba.conf" that much, because we'll always reload
>> pg_hba.conf after the main config file.
>>
>> I'd still leave the runtime check in as well to handle the "loaded one
>> but not the other" case, but let's try prevent the user from loading the
>> broken config file in the first place..
>
> [ Thread moved to hackers. ]
>
> OK, updated patch attached.
>
>
Looks a lot better.
I am unsure of exactly where this thing hacks into the authentication
stream, but is it really only MD5 that fails?
AFAICS, we rewrite what the user puts into the system *before* we do the
authentication. Which I think would break all authentication *except*
password (without md5) and trust, more or less.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Grzegorz Jaśkiewicz | 2008-11-13 14:59:34 | Re: sort_mem param of postgresql.conf |
Previous Message | Ivan Sergio Borgonovo | 2008-11-13 14:36:59 | Re: still gin index creation takes forever |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2008-11-13 15:06:05 | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
Previous Message | Dmitry Turin | 2008-11-13 14:24:56 | SQL5 budget |