Hi,
I'm getting ready to open up port 80 of my apache/pgsql server to the
world and am working on tightening up security.
I have password based authentication working with phpPgAdmin, and Apache
mod_auth_pgsql, as well as PHP.
However, when I set the authentication to md5:
local all all md5
in pg_hba.conf it just works. Always. It doesn't matter if I have
auth_PG_hash_type set to CRYPT in auth_pgsql.conf, or whether or not I:
alter user USERNAME with password PASSWORD
or
alter user USERNAME with encrypted password PASSWORD
No matter what I do, as long as the user and password are correct, it
works. If I set the passwords differently, it correctly denies access.
Looking in /var/lib/pgsql/global/pg_pwd shows passwords with an md5
prefix and which are obviously encrypted. In fact, even the users I
have not altered to use encrypted passwords have them.
I'm running Fedora Core 1 with the vendor provided 7.4.2-1 rpms, and
stock Fedora Core 1 apache and mod_auth_pgsql. PHP is 5.0.0 from
php.net.
So, is my information old, and md5 is "just standard" now? Or is
something else going on?
Thanks,
Steve Bergman