open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.

Browse Source
REL7_2_STABLE
Bruce Momjian 24 years ago
parent f7eedfdff2
commit bcb0ccf5be
6 changed files with 44 additions and 34 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 35
      doc/src/sgml/client-auth.sgml
  2. 4
      doc/src/sgml/jdbc.sgml
  3. 15
      src/backend/libpq/auth.c
  4. 7
      src/backend/libpq/hba.c
  5. 12
      src/backend/libpq/pg_hba.conf.sample
  6. 5
      src/include/libpq/hba.h

35
doc/src/sgml/client-auth.sgml
Unescape View File

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -194,25 +194,36 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para>
The password is sent over the wire in clear text. For better
protection, use the <literal>crypt</literal> method.
protection, use the <literal>md5</literal> or
<literal>crypt</literal> methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>crypt</>
<term>md5</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>crypt</literal> keyword. It contains a list of users
<literal>md5</literal> keyword. It contains a list of users
for this record.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>crypt</>
<listitem>
<para>
Like the <literal>md5</literal> method but uses older crypt
authentication for pre-7.2 clients.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb4</>
<listitem>
@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:
host template1 192.168.12.10 255.255.255.255 crypt
host template1 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
To restrict the set of users that are allowed to connect to
certain databases, list the set of users in a separate file (one
user name per line) in the same directory that
<filename>pg_hba.conf</> is in, and mention the (base) name of the
file after the <literal>password</> or <literal>crypt</> keyword,
To restrict the set of users that are allowed to connect to certain
databases, list the set of users in a separate file (one user name
per line) in the same directory that <filename>pg_hba.conf</> is in,
and mention the (base) name of the file after the
<literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
respectively, in <filename>pg_hba.conf</>. If you do not use this
feature, then any user that is known to the database system can
connect to any database (so long as he passes password
@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
Alternative passwords cannot be used when using the
<literal>crypt</> method. The file will still be evaluated as
Alternative passwords cannot be used when using the <literal>md5</>
or <literal>crypt</> methods. The file will still be evaluated as
usual but the password field will simply be ignored and the
<literal>pg_shadow</> password will be used.
</para>

4
doc/src/sgml/jdbc.sgml
Unescape View File

@ -1,5 +1,5 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
-->
<chapter id="jdbc">
@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
<filename>pg_hba.conf</filename> file may need to be configured.
Refer to the <citetitle>Administrator's Guide</citetitle> for
details. The <acronym>JDBC</acronym> Driver supports trust,
ident, password, and crypt authentication methods.
ident, password, and md5, crypt authentication methods.
</para>
</sect2>
</sect1>

15
src/backend/libpq/auth.c
Unescape View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
status = recv_and_check_password_packet(port);
break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
break;
port->auth_method = uaCrypt;
/* Try crypt() for old client */
/* FALL THROUGH */
case uaCrypt:
sendAuthRequest(port, AUTH_REQ_CRYPT);
status = recv_and_check_password_packet(port);
break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
case uaTrust:
status = STATUS_OK;
break;

7
src/backend/libpq/hba.c
Unescape View File

@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
*userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0)
*userauth_p = uaReject;
else if (strcmp(token, "crypt") == 0)
/* Try MD5 first; on failure, switch to crypt() */
else if (strcmp(token, "md5") == 0)
*userauth_p = uaMD5;
else if (strcmp(token, "crypt") == 0)
*userauth_p = uaCrypt;
else
*error_p = true;
line = lnext(line);

12
src/backend/libpq/pg_hba.conf.sample
Unescape View File

@ -115,13 +115,15 @@
# utility. Remember, these passwords override pg_shadow
# passwords.
#
# crypt: Same as "password", but authentication is done by
# md5: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is
# always preferable to "password" except for old clients
# that don't support "crypt". Also, crypt can use
# usernames stored in secondary password files but not
# secondary passwords.
# that don't support it. Also, md5 can use usernames stored
# in secondary password files but not secondary passwords.
#
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
# not store encrypted passwords if you use this option.
#
# ident: For TCP/IP connections, authentication is done by contacting
# the ident server on the client host. (CAUTION: this is only
# as secure as the client machine!) On machines that support
@ -173,7 +175,7 @@
# if the user's password in pg_shadow is correctly supplied:
#
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
# host template1 192.168.12.10 255.255.255.255 crypt
# host template1 192.168.12.10 255.255.255.255 md5
#
# In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched

5
src/include/libpq/hba.h
Unescape View File

@ -4,7 +4,7 @@
* Interface to hba.c
*
*
* $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
* $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -36,8 +36,7 @@ typedef enum UserAuth
uaIdent,
uaPassword,
uaCrypt,
uaMD5 /* This starts as uaCrypt from pg_hba.conf, but gets
overridden if the client supports MD5 */
uaMD5
} UserAuth;
typedef struct Port hbaPort;

Write Preview
Loading…
Cancel
Save