Re: db_user_namespace, md5 and changing passwords

Bruce Momjian wrote:
> Alvaro Herrera wrote:
> > Tom Lane escribi?:
> > > Bruce Momjian <bruce@momjian.us> writes:
> > > > I don't know of a way to make MD5 and db_user_namespace work cleanly so
> > > > we are considering removing db_user_namespace in 8.4.
> > >
> > > We are?  It's no more or less ugly than the day it was put in (the
> > > MD5 encryption option was already there).
> > >
> > > If we had some improved replacement to offer, I'd be all for getting
> > > rid of db_user_namespace; but without that I think we're just taking
> > > away a feature that some people are using.  At least, the argument
> > > was made back in 2002 that people would use this if they had it;
> > > do we have evidence to the contrary now?
> >
> > I also disagree with removing it.  I know some people (few and far
> > apart) are using it.
>
> Well, I posted about this in August with no one replying:
>
>     http://archives.postgresql.org/pgsql-admin/2008-08/msg00068.php
>
> Basically, there is a mismatch between what libpq and the backend think
> is the username, and that affects how MD5 uses the salt on the two sides
> of the connection.  The minimal solution would be to document this and
> print a proper error message.

I have developed the attached patch, which documents the inability to
use MD5 with db_user_namespace, and throws an error when it is used:

    psql: FATAL:  MD5 authentication is not supported when "db_user_namespace" is enabled

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.194
diff -c -c -r1.194 config.sgml
*** doc/src/sgml/config.sgml    9 Nov 2008 00:28:34 -0000    1.194
--- doc/src/sgml/config.sgml    11 Nov 2008 02:27:39 -0000
***************
*** 706,711 ****
--- 706,720 ----
          before the user name is looked up by the server.
         </para>

+        <para>
+         Keep in mind all authentication checks are done with
+         the server's representation of the user name, not the client's.
+         Because of this, <literal>MD5</> authentication will not work
+         when <literal>db_user_namespace</> is enabled because the
+         client and server have different representations of the user
+         name.
+        </para>
+
         <note>
          <para>
           This feature is intended as a temporary measure until a
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.170
diff -c -c -r1.170 auth.c
*** src/backend/libpq/auth.c    28 Oct 2008 12:10:43 -0000    1.170
--- src/backend/libpq/auth.c    11 Nov 2008 02:27:42 -0000
***************
*** 368,373 ****
--- 368,377 ----
              break;

          case uaMD5:
+             if (Db_user_namespace)
+                 ereport(FATAL,
+                         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                          errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
              sendAuthRequest(port, AUTH_REQ_MD5);
              status = recv_and_check_password_packet(port);
              break;