Issue a proper error message when MD5 is attempted when

db_user_namespace is enabled.

Also document this limitation.
This commit is contained in:
Bruce Momjian 2008-11-20 20:45:30 +00:00
parent 176961c1f1
commit 170b66a0c5
4 changed files with 30 additions and 4 deletions

View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/20 20:45:29 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -712,6 +712,8 @@ omicron bryanh guest1
If you are at all concerned about password
<quote>sniffing</> attacks then <literal>md5</> is preferred.
Plain <literal>password</> should always be avoided if possible.
<literal>md5</> cannot be used with <xref
linkend="guc-db-user-namespace">.
</para>
<para>

View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
before the user name is looked up by the server.
</para>
<para>
<varname>db_user_namespace</> causes the client's and
server's user name representation to differ.
Authentication checks are always done with the server's user name
so authentication methods must be configured for the
server's user name, not the client's. Because
<literal>md5</> uses the user name as salt on both the
client and server, <literal>md5</> cannot be used with
<varname>db_user_namespace</>.
</para>
<note>
<para>
This feature is intended as a temporary measure until a

View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
break;
case uaMD5:
if (Db_user_namespace)
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;

View File

@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
else if (strcmp(token, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token, "md5") == 0)
{
if (Db_user_namespace)
{
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
return false;
}
parsedline->auth_method = uaMD5;
}
else if (strcmp(token, "pam") == 0)
#ifdef USE_PAM
parsedline->auth_method = uaPAM;