Re: [GENERAL] db_user_namespace, md5 and changing passwords
От | Bruce Momjian |
---|---|
Тема | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
Дата | |
Msg-id | 200811112147.mABLlHI17864@momjian.us обсуждение исходный текст |
Ответы |
Re: [GENERAL] db_user_namespace, md5 and changing passwords
(Magnus Hagander <magnus@hagander.net>)
|
Список | pgsql-hackers |
Magnus Hagander wrote: > > I have developed the attached patch, which documents the inability to > > use MD5 with db_user_namespace, and throws an error when it is used: > > > > psql: FATAL: MD5 authentication is not supported when "db_user_namespace" is enabled > > IMHO it would be much nicer to detect this when we load pg_hba.conf. > It's easy to do these days :-P > > I don't think we need to worry about the "changed postgresql.conf after > we changed pg_hba.conf" that much, because we'll always reload > pg_hba.conf after the main config file. > > I'd still leave the runtime check in as well to handle the "loaded one > but not the other" case, but let's try prevent the user from loading the > broken config file in the first place.. [ Thread moved to hackers. ] OK, updated patch attached. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/config.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v retrieving revision 1.195 diff -c -c -r1.195 config.sgml *** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195 --- doc/src/sgml/config.sgml 11 Nov 2008 18:49:05 -0000 *************** *** 706,711 **** --- 706,720 ---- before the user name is looked up by the server. </para> + <para> + Keep in mind all authentication checks are done with + the server's representation of the user name, not the client's. + Because of this, <literal>MD5</> authentication will not work + when <literal>db_user_namespace</> is enabled because the + client and server have different representations of the user + name. + </para> + <note> <para> This feature is intended as a temporary measure until a Index: src/backend/libpq/auth.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v retrieving revision 1.170 diff -c -c -r1.170 auth.c *** src/backend/libpq/auth.c 28 Oct 2008 12:10:43 -0000 1.170 --- src/backend/libpq/auth.c 11 Nov 2008 18:49:06 -0000 *************** *** 368,373 **** --- 368,377 ---- break; case uaMD5: + if (Db_user_namespace) + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); sendAuthRequest(port, AUTH_REQ_MD5); status = recv_and_check_password_packet(port); break; Index: src/backend/libpq/hba.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v retrieving revision 1.172 diff -c -c -r1.172 hba.c *** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172 --- src/backend/libpq/hba.c 11 Nov 2008 18:49:06 -0000 *************** *** 846,852 **** --- 846,861 ---- else if (strcmp(token, "reject") == 0) parsedline->auth_method = uaReject; else if (strcmp(token, "md5") == 0) + { + if (Db_user_namespace) + { + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"))); + return false; + } parsedline->auth_method = uaMD5; + } else if (strcmp(token, "pam") == 0) #ifdef USE_PAM parsedline->auth_method = uaPAM;
В списке pgsql-hackers по дате отправления: