Re: [GENERAL] db_user_namespace, md5 and changing passwords

Bruce Momjian wrote:
> Magnus Hagander wrote:
> > >> Not sure I care enough to dive into what it would actually mean. My
> > >> guess is that it's very uncommon to use db_user_namespace in any of
> > >> these scenarios (in fact I think it's very uncommon to use it at all,
> > >> but even more uncommon in these cases)
> > > 
> > > The documentation changes highlight that we are going to validate for
> > > most external authentications using the server username, so the external
> > > authentication has to be set up to use that server username.  Were the
> > > docs not clear on that?  Do I need a mention of db_user_namespace in the
> > > authentication docs?
> > 
> > AFAICS, the changes only say MD5 doesn't work. I think it should be made
> > more clear.
> > 
> > And yes, it probably makes sense to put it around the authentication
> > docs as well as a warning to people - that's where they'll go looking if
> > something doesn't work.
> 
> OK, documentation updated stating that all authentication has to user
> the server username, and added a mention in the client-auth docs too.

Applied to CVS HEAD.  Not sure if it should be backpatched so I didn't. 
We do have two bug reports for 8.3 but none for earlier releases where
it was also broken.

---------------------------------------------------------------------------


> 
> -- 
>   Bruce Momjian  <bruce@momjian.us>        http://momjian.us
>   EnterpriseDB                             http://enterprisedb.com
> 
>   + If your life is a hard drive, Christ can be your backup. +

> Index: doc/src/sgml/client-auth.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
> retrieving revision 1.111
> diff -c -c -r1.111 client-auth.sgml
> *** doc/src/sgml/client-auth.sgml    18 Nov 2008 13:10:20 -0000    1.111
> --- doc/src/sgml/client-auth.sgml    20 Nov 2008 03:56:43 -0000
> ***************
> *** 702,707 ****
> --- 702,709 ----
>       If you are at all concerned about password
>       <quote>sniffing</> attacks then <literal>md5</> is preferred.
>       Plain <literal>password</> should always be avoided if possible.
> +     <literal>md5</> cannot be used with <xref
> +     linkend="guc-db-user-namespace">.
>      </para>
>   
>      <para>
> Index: doc/src/sgml/config.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
> retrieving revision 1.195
> diff -c -c -r1.195 config.sgml
> *** doc/src/sgml/config.sgml    11 Nov 2008 02:42:31 -0000    1.195
> --- doc/src/sgml/config.sgml    20 Nov 2008 03:56:44 -0000
> ***************
> *** 706,711 ****
> --- 706,722 ----
>           before the user name is looked up by the server.
>          </para>
>   
> +        <para>
> +         <varname>db_user_namespace</> causes the client's and
> +         server's user name representation to differ.
> +         Authentication checks are always done with the server's user name
> +         so authentication methods must be configured for the
> +         server's user name, not the client's.  Because
> +         <literal>md5</> uses the user name as salt on both the
> +         client and server, <literal>md5</> cannot be used with
> +         <varname>db_user_namespace</>.
> +        </para>
> + 
>          <note>
>           <para>
>            This feature is intended as a temporary measure until a
> Index: src/backend/libpq/auth.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
> retrieving revision 1.171
> diff -c -c -r1.171 auth.c
> *** src/backend/libpq/auth.c    18 Nov 2008 13:10:20 -0000    1.171
> --- src/backend/libpq/auth.c    20 Nov 2008 03:56:44 -0000
> ***************
> *** 371,376 ****
> --- 371,380 ----
>               break;
>   
>           case uaMD5:
> +             if (Db_user_namespace)
> +                 ereport(FATAL,
> +                         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> +                          errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
>               sendAuthRequest(port, AUTH_REQ_MD5);
>               status = recv_and_check_password_packet(port);
>               break;
> Index: src/backend/libpq/hba.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v
> retrieving revision 1.172
> diff -c -c -r1.172 hba.c
> *** src/backend/libpq/hba.c    28 Oct 2008 12:10:43 -0000    1.172
> --- src/backend/libpq/hba.c    20 Nov 2008 03:56:47 -0000
> ***************
> *** 846,852 ****
> --- 846,861 ----
>       else if (strcmp(token, "reject") == 0)
>           parsedline->auth_method = uaReject;
>       else if (strcmp(token, "md5") == 0)
> +     {
> +         if (Db_user_namespace)
> +         {
> +             ereport(LOG,
> +                     (errcode(ERRCODE_CONFIG_FILE_ERROR),
> +                      errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
> +             return false;
> +         }
>           parsedline->auth_method = uaMD5;
> +     }
>       else if (strcmp(token, "pam") == 0)
>   #ifdef USE_PAM
>           parsedline->auth_method = uaPAM;

> 
> -- 
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +