Re: passwords in pg_shadow (duplicate).
| От | Bruce Momjian |
|---|---|
| Тема | Re: passwords in pg_shadow (duplicate). |
| Дата | |
| Msg-id | 200212051840.gB5IeOu18228@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: passwords in pg_shadow (duplicate). (Hiroshi Inoue <Inoue@tpf.co.jp>) |
| Список | pgsql-general |
OK, I have applied the following patch to CVS and 7.3. The fix will be in 7.3.1 to allow 'password' even if pg_shadow contains MD5 passwords. --------------------------------------------------------------------------- Hiroshi Inoue wrote: > Bruce Momjian wrote: > > > > Good catch. Seems like a bug. I assumed we still want to support > > 'password' even though pg_shadow contains MD5 encrypted passwords. Is > > that correct? (We can't support crypt in those cases.) > > > > The following patch fixes this. I need to review it later, but we could > > apply to 7.3.1. I assume there are still some interfaces that don't > > support md5 or crypt and we will need this patch to continue supporting > > them, though I am sure there are some out there that want 'password' to > > go away. > > Honestly I don't understand your intention. > For example, if some one would like to use > crypt authentication what should he do ? > Certainly he can store a plain password using > 'with unencrypted password ....'. But pg_dump > would dump it as 'with password ....' and as > a result the password would be restored as MD5 > encrypted password by default. > > regards, > Hiroshi Inoue > http://w2422.nsk.ne.jp/~inoue/ > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 Index: src/backend/libpq/crypt.c =================================================================== RCS file: /cvsroot/pgsql-server/src/backend/libpq/crypt.c,v retrieving revision 1.49 diff -c -c -r1.49 crypt.c *** src/backend/libpq/crypt.c 4 Sep 2002 20:31:19 -0000 1.49 --- src/backend/libpq/crypt.c 5 Dec 2002 18:03:53 -0000 *************** *** 29,35 **** int ! md5_crypt_verify(const Port *port, const char *user, const char *pgpass) { char *passwd = NULL, *valuntil = NULL, --- 29,35 ---- int ! md5_crypt_verify(const Port *port, const char *user, char *pgpass) { char *passwd = NULL, *valuntil = NULL, *************** *** 37,42 **** --- 37,43 ---- int retval = STATUS_ERROR; List **line; List *token; + char *crypt_pgpass = pgpass; if ((line = get_user_line(user)) == NULL) return STATUS_ERROR; *************** *** 54,64 **** if (passwd == NULL || *passwd == '\0') return STATUS_ERROR; ! /* If they encrypt their password, force MD5 */ ! if (isMD5(passwd) && port->auth_method != uaMD5) { elog(LOG, "Password is stored MD5 encrypted. " ! "'password' and 'crypt' auth methods cannot be used."); return STATUS_ERROR; } --- 55,65 ---- if (passwd == NULL || *passwd == '\0') return STATUS_ERROR; ! /* We can't do crypt with pg_shadow MD5 passwords */ ! if (isMD5(passwd) && port->auth_method == uaCrypt) { elog(LOG, "Password is stored MD5 encrypted. " ! "'crypt' auth method cannot be used."); return STATUS_ERROR; } *************** *** 72,77 **** --- 73,79 ---- crypt_pwd = palloc(MD5_PASSWD_LEN + 1); if (isMD5(passwd)) { + /* pg_shadow already encrypted, only do salt */ if (!EncryptMD5(passwd + strlen("md5"), (char *) port->md5Salt, sizeof(port->md5Salt), crypt_pwd)) *************** *** 82,87 **** --- 84,90 ---- } else { + /* pg_shadow plain, double-encrypt */ char *crypt_pwd2 = palloc(MD5_PASSWD_LEN + 1); if (!EncryptMD5(passwd, port->user, strlen(port->user), *************** *** 110,120 **** break; } default: crypt_pwd = passwd; break; } ! if (strcmp(pgpass, crypt_pwd) == 0) { /* * Password OK, now check to be sure we are not past valuntil --- 113,134 ---- break; } default: + if (isMD5(passwd)) + { + /* Encrypt user-supplied password to match MD5 in pg_shadow */ + crypt_pgpass = palloc(MD5_PASSWD_LEN + 1); + if (!EncryptMD5(pgpass, port->user, strlen(port->user), + crypt_pgpass)) + { + pfree(crypt_pgpass); + return STATUS_ERROR; + } + } crypt_pwd = passwd; break; } ! if (strcmp(crypt_pgpass, crypt_pwd) == 0) { /* * Password OK, now check to be sure we are not past valuntil *************** *** 136,141 **** --- 150,157 ---- if (port->auth_method == uaMD5) pfree(crypt_pwd); + if (crypt_pgpass != pgpass) + pfree(crypt_pgpass); return retval; } Index: src/include/libpq/crypt.h =================================================================== RCS file: /cvsroot/pgsql-server/src/include/libpq/crypt.h,v retrieving revision 1.22 diff -c -c -r1.22 crypt.h *** src/include/libpq/crypt.h 4 Sep 2002 20:31:42 -0000 1.22 --- src/include/libpq/crypt.h 5 Dec 2002 18:03:54 -0000 *************** *** 23,29 **** extern int md5_crypt_verify(const Port *port, const char *user, ! const char *pgpass); extern bool md5_hash(const void *buff, size_t len, char *hexsum); extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed); --- 23,29 ---- extern int md5_crypt_verify(const Port *port, const char *user, ! char *pgpass); extern bool md5_hash(const void *buff, size_t len, char *hexsum); extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
В списке pgsql-general по дате отправления: