Обсуждение: Differences in crypt hash?

От:
Richard Hodges
Дата:

Hi all,

I am trying to figure out exactly what is going on with a client
that I have just compiled for Solaris 2.7  I have compiled both
7.0.3 and 7.1.2, and neither gave me any obvious compilation errors,
but I did note these interesting (relevant?) warnings:
  UX tsort: INFORM: cycle in data
          fe-connect.o
          fe-auth.o
  UX tsort: INFORM: cycle in data
          fe-exec.o
          fe-connect.o

My Solaris client uses the three files: libpq-fe.h, postgres_ext.h,
and libpq.a (nothing else).

The problem is that my Solaris client does not authenticate against
my server (7.0.3 built on FreeBSD).  I added the following line to
  src/backend/libpq/crypt.c, function crypt_verify() for logging:
  fprintf(stderr, "crypt_verify: user='%s' pass='%s', crypt='%s'\n",
    user, pgpass, crypt_pwd);

When my FreeBSD client connects, this logging prints success:
  crypt_verify: user='dtvuser'
     pass='$1$hI$eaByHtOxTYKOygT1.JMsU.',
    crypt='$1$hI$eaByHtOxTYKOygT1.JMsU.'
  crypt_verify: user='dtvuser'
     pass='$1$ZH$YGGYInw6oH0P29Ze6hlo.1',
    crypt='$1$ZH$YGGYInw6oH0P29Ze6hlo.1'

When my Solaris client tries to connect, the hash is totally wrong:
  crypt_verify: user='dtvuser'
     pass='lBeX8.2tWJup.',
    crypt='$1$lB$ajOq8TJJdUAAyDZcSGDfM.'
  crypt_verify: user='dtvuser'
     pass='3HW/UXZhFVXhs',
    crypt='$1$3H$QzIURSP9F/v/nI5jFwwXn.'

My FreeBSD client is apparently using a salted MD5 hash, where my
Solaris client seems to be just throwing something else.

Is there a configuration item I missed while compiling?  Or is there
a run-time option involved?

Thanks for any insight into this!

-Richard

-------------------------------------------
   Richard Hodges   | Matriplex, inc.
   Product Manager  | 769 Basque Way
    | Carson City, NV 89706
    775-886-6477    | www.matriplex.com


От:
Tom Lane
Дата:

Richard Hodges <> writes:
> The problem is that my Solaris client does not authenticate against
> my server (7.0.3 built on FreeBSD).

Indeed, one of the nasty things about the 'crypt' authentication method
is that it assumes the crypt() library call acts the same on both client
and server machine.  As you've just discovered, that ain't always so.

There have been plans for some time to supersede our present password
auth methods with something more secure and portable (probably MD5
double hashing at both ends).  I think Vince V. is working on that,
but I've not heard anything about it lately.  You can read all about it
in the pghackers mail archives if you care.

In the meantime, you'll just have to use a different auth method.
Plain "password" would work.  (If you're concerned about someone
sniffing your TCP connection, consider using SSL.)

            regards, tom lane

От:
Bruce Momjian
Дата:

> Richard Hodges <> writes:
> > The problem is that my Solaris client does not authenticate against
> > my server (7.0.3 built on FreeBSD).
>
> Indeed, one of the nasty things about the 'crypt' authentication method
> is that it assumes the crypt() library call acts the same on both client
> and server machine.  As you've just discovered, that ain't always so.
>
> There have been plans for some time to supersede our present password
> auth methods with something more secure and portable (probably MD5
> double hashing at both ends).  I think Vince V. is working on that,
> but I've not heard anything about it lately.  You can read all about it
> in the pghackers mail archives if you care.

I am trying to get it done for 7.2.  I have Vince's md5 code.  I just
need to plug it into the authentication code.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
                 |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

От:
Richard Hodges
Дата:

On Sat, 4 Aug 2001, Bruce Momjian wrote:

> > Richard Hodges <> writes:
> > > The problem is that my Solaris client does not authenticate against
> > > my server (7.0.3 built on FreeBSD).
> >
> > Indeed, one of the nasty things about the 'crypt' authentication method
> > is that it assumes the crypt() library call acts the same on both client
> > and server machine.  As you've just discovered, that ain't always so.
> >
> > There have been plans for some time to supersede our present password
> > auth methods with something more secure and portable (probably MD5
> > double hashing at both ends).  I think Vince V. is working on that,
> > but I've not heard anything about it lately.  You can read all about it
> > in the pghackers mail archives if you care.
>
> I am trying to get it done for 7.2.  I have Vince's md5 code.  I just
> need to plug it into the authentication code.

Thanks for the info, Tom and Bruce.  I'll just have to use cleartext
passwords in the meantime :-(  Yuck.

All the best,

-Richard

-------------------------------------------
   Richard Hodges   | Matriplex, inc.
   Product Manager  | 769 Basque Way
    | Carson City, NV 89706
    775-886-6477    | www.matriplex.com