mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.

Browse Source
This commit is contained in:
Bruce Momjian 2001-08-16 16:24:16 +00:00
parent f7eedfdff2
commit bcb0ccf5be
6 changed files with 48 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -194,7 +194,22 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para>
The password is sent over the wire in clear text. For better
protection, use the <literal>crypt</literal> method.
protection, use the <literal>md5</literal> or
<literal>crypt</literal> methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>md5</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>md5</literal> keyword. It contains a list of users
for this record.
</para>
</listitem>
</varlistentry>
@ -203,12 +218,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<term>crypt</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>crypt</literal> keyword. It contains a list of users
for this record.
Like the <literal>md5</literal> method but uses older crypt
authentication for pre-7.2 clients.
</para>
</listitem>
</varlistentry>
@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:
host template1 192.168.12.10 255.255.255.255 crypt
host template1 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
To restrict the set of users that are allowed to connect to
certain databases, list the set of users in a separate file (one
user name per line) in the same directory that
<filename>pg_hba.conf</> is in, and mention the (base) name of the
file after the <literal>password</> or <literal>crypt</> keyword,
To restrict the set of users that are allowed to connect to certain
databases, list the set of users in a separate file (one user name
per line) in the same directory that <filename>pg_hba.conf</> is in,
and mention the (base) name of the file after the
<literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
respectively, in <filename>pg_hba.conf</>. If you do not use this
feature, then any user that is known to the database system can
connect to any database (so long as he passes password
@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
Alternative passwords cannot be used when using the
<literal>crypt</> method. The file will still be evaluated as
Alternative passwords cannot be used when using the <literal>md5</>
or <literal>crypt</> methods. The file will still be evaluated as
usual but the password field will simply be ignored and the
<literal>pg_shadow</> password will be used.
</para>

4
doc/src/sgml/jdbc.sgml
View File

@ -1,5 +1,5 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
-->
<chapter id="jdbc">
@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
<filename>pg_hba.conf</filename> file may need to be configured.
Refer to the <citetitle>Administrator's Guide</citetitle> for
details. The <acronym>JDBC</acronym> Driver supports trust,
ident, password, and crypt authentication methods.
ident, password, and md5, crypt authentication methods.
</para>
</sect2>
</sect1>

15
src/backend/libpq/auth.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
status = recv_and_check_password_packet(port);
break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
break;
port->auth_method = uaCrypt;
/* Try crypt() for old client */
/* FALL THROUGH */
case uaCrypt:
sendAuthRequest(port, AUTH_REQ_CRYPT);
status = recv_and_check_password_packet(port);
break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
case uaTrust:
status = STATUS_OK;
break;

7
src/backend/libpq/hba.c
View File

@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
*userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0)
*userauth_p = uaReject;
else if (strcmp(token, "crypt") == 0)
/* Try MD5 first; on failure, switch to crypt() */
else if (strcmp(token, "md5") == 0)
*userauth_p = uaMD5;
else if (strcmp(token, "crypt") == 0)
*userauth_p = uaCrypt;
else
*error_p = true;
line = lnext(line);

12
src/backend/libpq/pg_hba.conf.sample
View File

@ -115,13 +115,15 @@
# utility. Remember, these passwords override pg_shadow
# passwords.
#
# crypt: Same as "password", but authentication is done by
# md5: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is
# always preferable to "password" except for old clients
# that don't support "crypt". Also, crypt can use
# usernames stored in secondary password files but not
# secondary passwords.
# that don't support it. Also, md5 can use usernames stored
# in secondary password files but not secondary passwords.
#
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
# not store encrypted passwords if you use this option.
#
# ident: For TCP/IP connections, authentication is done by contacting
# the ident server on the client host. (CAUTION: this is only
# as secure as the client machine!) On machines that support
@ -173,7 +175,7 @@
# if the user's password in pg_shadow is correctly supplied:
#
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
# host template1 192.168.12.10 255.255.255.255 crypt
# host template1 192.168.12.10 255.255.255.255 md5
#
# In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched

5
src/include/libpq/hba.h
View File

@ -4,7 +4,7 @@
* Interface to hba.c
*
*
* $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
* $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -36,8 +36,7 @@ typedef enum UserAuth
uaIdent,
uaPassword,
uaCrypt,
uaMD5 /* This starts as uaCrypt from pg_hba.conf, but gets
overridden if the client supports MD5 */
uaMD5
} UserAuth;
typedef struct Port hbaPort;