Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.
This commit is contained in:
parent
f7eedfdff2
commit
bcb0ccf5be
@ -1,4 +1,4 @@
|
||||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
|
||||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
|
||||
|
||||
<chapter id="client-authentication">
|
||||
<title>Client Authentication</title>
|
||||
@ -194,7 +194,22 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
|
||||
|
||||
<para>
|
||||
The password is sent over the wire in clear text. For better
|
||||
protection, use the <literal>crypt</literal> method.
|
||||
protection, use the <literal>md5</literal> or
|
||||
<literal>crypt</literal> methods.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>md5</>
|
||||
<listitem>
|
||||
<para>
|
||||
Like the <literal>password</literal> method, but the password
|
||||
is sent over the wire encrypted using a simple
|
||||
challenge-response protocol. This protects against incidental
|
||||
wire-sniffing. The name of a file may follow the
|
||||
<literal>md5</literal> keyword. It contains a list of users
|
||||
for this record.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -203,12 +218,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
|
||||
<term>crypt</>
|
||||
<listitem>
|
||||
<para>
|
||||
Like the <literal>password</literal> method, but the password
|
||||
is sent over the wire encrypted using a simple
|
||||
challenge-response protocol. This protects against incidental
|
||||
wire-sniffing. The name of a file may follow the
|
||||
<literal>crypt</literal> keyword. It contains a list of users
|
||||
for this record.
|
||||
Like the <literal>md5</literal> method but uses older crypt
|
||||
authentication for pre-7.2 clients.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
|
||||
# Allow a user from host 192.168.12.10 to connect to database "template1"
|
||||
# if the user's password in pg_shadow is correctly supplied:
|
||||
|
||||
host template1 192.168.12.10 255.255.255.255 crypt
|
||||
host template1 192.168.12.10 255.255.255.255 md5
|
||||
|
||||
# In the absence of preceding "host" lines, these two lines will reject
|
||||
# all connection attempts from 192.168.54.1 (since that entry will be
|
||||
@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To restrict the set of users that are allowed to connect to
|
||||
certain databases, list the set of users in a separate file (one
|
||||
user name per line) in the same directory that
|
||||
<filename>pg_hba.conf</> is in, and mention the (base) name of the
|
||||
file after the <literal>password</> or <literal>crypt</> keyword,
|
||||
To restrict the set of users that are allowed to connect to certain
|
||||
databases, list the set of users in a separate file (one user name
|
||||
per line) in the same directory that <filename>pg_hba.conf</> is in,
|
||||
and mention the (base) name of the file after the
|
||||
<literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
|
||||
respectively, in <filename>pg_hba.conf</>. If you do not use this
|
||||
feature, then any user that is known to the database system can
|
||||
connect to any database (so long as he passes password
|
||||
@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Alternative passwords cannot be used when using the
|
||||
<literal>crypt</> method. The file will still be evaluated as
|
||||
Alternative passwords cannot be used when using the <literal>md5</>
|
||||
or <literal>crypt</> methods. The file will still be evaluated as
|
||||
usual but the password field will simply be ignored and the
|
||||
<literal>pg_shadow</> password will be used.
|
||||
</para>
|
||||
|
@ -1,5 +1,5 @@
|
||||
<!--
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
|
||||
-->
|
||||
|
||||
<chapter id="jdbc">
|
||||
@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
|
||||
<filename>pg_hba.conf</filename> file may need to be configured.
|
||||
Refer to the <citetitle>Administrator's Guide</citetitle> for
|
||||
details. The <acronym>JDBC</acronym> Driver supports trust,
|
||||
ident, password, and crypt authentication methods.
|
||||
ident, password, and md5, crypt authentication methods.
|
||||
</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
|
||||
status = recv_and_check_password_packet(port);
|
||||
break;
|
||||
|
||||
case uaMD5:
|
||||
sendAuthRequest(port, AUTH_REQ_MD5);
|
||||
if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
|
||||
break;
|
||||
port->auth_method = uaCrypt;
|
||||
/* Try crypt() for old client */
|
||||
/* FALL THROUGH */
|
||||
|
||||
case uaCrypt:
|
||||
sendAuthRequest(port, AUTH_REQ_CRYPT);
|
||||
status = recv_and_check_password_packet(port);
|
||||
break;
|
||||
|
||||
case uaMD5:
|
||||
sendAuthRequest(port, AUTH_REQ_MD5);
|
||||
status = recv_and_check_password_packet(port);
|
||||
break;
|
||||
|
||||
case uaTrust:
|
||||
status = STATUS_OK;
|
||||
break;
|
||||
|
@ -10,7 +10,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
|
||||
*userauth_p = uaKrb5;
|
||||
else if (strcmp(token, "reject") == 0)
|
||||
*userauth_p = uaReject;
|
||||
else if (strcmp(token, "crypt") == 0)
|
||||
/* Try MD5 first; on failure, switch to crypt() */
|
||||
else if (strcmp(token, "md5") == 0)
|
||||
*userauth_p = uaMD5;
|
||||
else if (strcmp(token, "crypt") == 0)
|
||||
*userauth_p = uaCrypt;
|
||||
else
|
||||
*error_p = true;
|
||||
line = lnext(line);
|
||||
|
@ -115,13 +115,15 @@
|
||||
# utility. Remember, these passwords override pg_shadow
|
||||
# passwords.
|
||||
#
|
||||
# crypt: Same as "password", but authentication is done by
|
||||
# md5: Same as "password", but authentication is done by
|
||||
# encrypting the password sent over the network. This is
|
||||
# always preferable to "password" except for old clients
|
||||
# that don't support "crypt". Also, crypt can use
|
||||
# usernames stored in secondary password files but not
|
||||
# secondary passwords.
|
||||
# that don't support it. Also, md5 can use usernames stored
|
||||
# in secondary password files but not secondary passwords.
|
||||
#
|
||||
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
|
||||
# not store encrypted passwords if you use this option.
|
||||
#
|
||||
# ident: For TCP/IP connections, authentication is done by contacting
|
||||
# the ident server on the client host. (CAUTION: this is only
|
||||
# as secure as the client machine!) On machines that support
|
||||
@ -173,7 +175,7 @@
|
||||
# if the user's password in pg_shadow is correctly supplied:
|
||||
#
|
||||
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
|
||||
# host template1 192.168.12.10 255.255.255.255 crypt
|
||||
# host template1 192.168.12.10 255.255.255.255 md5
|
||||
#
|
||||
# In the absence of preceding "host" lines, these two lines will reject
|
||||
# all connection from 192.168.54.1 (since that entry will be matched
|
||||
|
@ -4,7 +4,7 @@
|
||||
* Interface to hba.c
|
||||
*
|
||||
*
|
||||
* $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
|
||||
* $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -36,8 +36,7 @@ typedef enum UserAuth
|
||||
uaIdent,
|
||||
uaPassword,
|
||||
uaCrypt,
|
||||
uaMD5 /* This starts as uaCrypt from pg_hba.conf, but gets
|
||||
overridden if the client supports MD5 */
|
||||
uaMD5
|
||||
} UserAuth;
|
||||
|
||||
typedef struct Port hbaPort;
|
||||
|
Loading…
x
Reference in New Issue
Block a user