mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.

Browse Source
This commit is contained in:
Bruce Momjian 2001-08-16 16:24:16 +00:00
parent f7eedfdff2
commit bcb0ccf5be
6 changed files with 48 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ --> <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
<chapter id="client-authentication"> <chapter id="client-authentication">
<title>Client Authentication</title> <title>Client Authentication</title>
@ -194,7 +194,22 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para> <para>
The password is sent over the wire in clear text. For better The password is sent over the wire in clear text. For better
protection, use the <literal>crypt</literal> method. protection, use the <literal>md5</literal> or
<literal>crypt</literal> methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>md5</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>md5</literal> keyword. It contains a list of users
for this record.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -203,12 +218,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<term>crypt</> <term>crypt</>
<listitem> <listitem>
<para> <para>
Like the <literal>password</literal> method, but the password Like the <literal>md5</literal> method but uses older crypt
is sent over the wire encrypted using a simple authentication for pre-7.2 clients.
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>crypt</literal> keyword. It contains a list of users
for this record.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1" # Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied: # if the user's password in pg_shadow is correctly supplied:
host template1 192.168.12.10 255.255.255.255 crypt host template1 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will reject # In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be # all connection attempts from 192.168.54.1 (since that entry will be
@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para> </para>
<para> <para>
To restrict the set of users that are allowed to connect to To restrict the set of users that are allowed to connect to certain
certain databases, list the set of users in a separate file (one databases, list the set of users in a separate file (one user name
user name per line) in the same directory that per line) in the same directory that <filename>pg_hba.conf</> is in,
<filename>pg_hba.conf</> is in, and mention the (base) name of the and mention the (base) name of the file after the
file after the <literal>password</> or <literal>crypt</> keyword, <literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
respectively, in <filename>pg_hba.conf</>. If you do not use this respectively, in <filename>pg_hba.conf</>. If you do not use this
feature, then any user that is known to the database system can feature, then any user that is known to the database system can
connect to any database (so long as he passes password connect to any database (so long as he passes password
@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para> </para>
<para> <para>
Alternative passwords cannot be used when using the Alternative passwords cannot be used when using the <literal>md5</>
<literal>crypt</> method. The file will still be evaluated as or <literal>crypt</> methods. The file will still be evaluated as
usual but the password field will simply be ignored and the usual but the password field will simply be ignored and the
<literal>pg_shadow</> password will be used. <literal>pg_shadow</> password will be used.
</para> </para>

4
doc/src/sgml/jdbc.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $ $Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
--> -->
<chapter id="jdbc"> <chapter id="jdbc">
@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
<filename>pg_hba.conf</filename> file may need to be configured. <filename>pg_hba.conf</filename> file may need to be configured.
Refer to the <citetitle>Administrator's Guide</citetitle> for Refer to the <citetitle>Administrator's Guide</citetitle> for
details. The <acronym>JDBC</acronym> Driver supports trust, details. The <acronym>JDBC</acronym> Driver supports trust,
ident, password, and crypt authentication methods. ident, password, and md5, crypt authentication methods.
</para> </para>
</sect2> </sect2>
</sect1> </sect1>

15
src/backend/libpq/auth.c
View File

@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
status = recv_and_check_password_packet(port); status = recv_and_check_password_packet(port);
break; break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
break;
port->auth_method = uaCrypt;
/* Try crypt() for old client */
/* FALL THROUGH */
case uaCrypt: case uaCrypt:
sendAuthRequest(port, AUTH_REQ_CRYPT); sendAuthRequest(port, AUTH_REQ_CRYPT);
status = recv_and_check_password_packet(port); status = recv_and_check_password_packet(port);
break; break;
case uaMD5:
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
case uaTrust: case uaTrust:
status = STATUS_OK; status = STATUS_OK;
break; break;

7
src/backend/libpq/hba.c
View File

@ -10,7 +10,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $ * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
*userauth_p = uaKrb5; *userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0) else if (strcmp(token, "reject") == 0)
*userauth_p = uaReject; *userauth_p = uaReject;
else if (strcmp(token, "crypt") == 0) else if (strcmp(token, "md5") == 0)
/* Try MD5 first; on failure, switch to crypt() */
*userauth_p = uaMD5; *userauth_p = uaMD5;
else if (strcmp(token, "crypt") == 0)
*userauth_p = uaCrypt;
else else
*error_p = true; *error_p = true;
line = lnext(line); line = lnext(line);

12
src/backend/libpq/pg_hba.conf.sample
View File

@ -115,12 +115,14 @@
# utility. Remember, these passwords override pg_shadow # utility. Remember, these passwords override pg_shadow
# passwords. # passwords.
# #
# crypt: Same as "password", but authentication is done by # md5: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is # encrypting the password sent over the network. This is
# always preferable to "password" except for old clients # always preferable to "password" except for old clients
# that don't support "crypt". Also, crypt can use # that don't support it. Also, md5 can use usernames stored
# usernames stored in secondary password files but not # in secondary password files but not secondary passwords.
# secondary passwords. #
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
# not store encrypted passwords if you use this option.
# #
# ident: For TCP/IP connections, authentication is done by contacting # ident: For TCP/IP connections, authentication is done by contacting
# the ident server on the client host. (CAUTION: this is only # the ident server on the client host. (CAUTION: this is only
@ -173,7 +175,7 @@
# if the user's password in pg_shadow is correctly supplied: # if the user's password in pg_shadow is correctly supplied:
# #
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
# host template1 192.168.12.10 255.255.255.255 crypt # host template1 192.168.12.10 255.255.255.255 md5
# #
# In the absence of preceding "host" lines, these two lines will reject # In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched # all connection from 192.168.54.1 (since that entry will be matched

5
src/include/libpq/hba.h
View File

@ -4,7 +4,7 @@
* Interface to hba.c * Interface to hba.c
* *
* *
* $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $ * $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -36,8 +36,7 @@ typedef enum UserAuth
uaIdent, uaIdent,
uaPassword, uaPassword,
uaCrypt, uaCrypt,
uaMD5 /* This starts as uaCrypt from pg_hba.conf, but gets uaMD5
overridden if the client supports MD5 */
} UserAuth; } UserAuth;
typedef struct Port hbaPort; typedef struct Port hbaPort;