Commit170b66a

committed

Issue a proper error message when MD5 is attempted when

db_user_namespace is enabled.Also document this limitation.

1 parent176961c commit170b66aCopy full SHA for 170b66a

File tree

+30

-4

lines changed

+30

-4

lines changed

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/2011:48:26 mha Exp $ -->`
	`1`	`+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/2020:45:29 momjian Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="client-authentication">`
`4`	`4`	`<title>Client Authentication</title>`
`@@ -712,6 +712,8 @@ omicron bryanh guest1`
`712`	`712`	`If you are at all concerned about password`
`713`	`713`	`<quote>sniffing</> attacks then <literal>md5</> is preferred.`
`714`	`714`	`Plain <literal>password</> should always be avoided if possible.`
	`715`	`+ <literal>md5</> cannot be used with <xref`
	`716`	`+ linkend="guc-db-user-namespace">.`
`715`	`717`	`</para>`
`716`	`718`
`717`	`719`	`<para>`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->`
	`1`	`+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter Id="runtime-config">`
`4`	`4`	`<title>Server Configuration</title>`
`@@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;`
`706`	`706`	`before the user name is looked up by the server.`
`707`	`707`	`</para>`
`708`	`708`
	`709`	`+ <para>`
	`710`	`+ <varname>db_user_namespace</> causes the client's and`
	`711`	`+ server's user name representation to differ.`
	`712`	`+ Authentication checks are always done with the server's user name`
	`713`	`+ so authentication methods must be configured for the`
	`714`	`+ server's user name, not the client's. Because`
	`715`	`+ <literal>md5</> uses the user name as salt on both the`
	`716`	`+ client and server, <literal>md5</> cannot be used with`
	`717`	`+ <varname>db_user_namespace</>.`
	`718`	`+ </para>`
	`719`	`+`
`709`	`720`	`<note>`
`710`	`721`	`<para>`
`711`	`722`	`This feature is intended as a temporary measure until a`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/2011:48:26 mha Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/2020:45:30 momjian Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)`
`413`	`413`	`break;`
`414`	`414`
`415`	`415`	`caseuaMD5:`
	`416`	`+if (Db_user_namespace)`
	`417`	`+ereport(FATAL,`
	`418`	`+(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
	`419`	`+errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));`
`416`	`420`	`sendAuthRequest(port,AUTH_REQ_MD5);`
`417`	`421`	`status=recv_and_check_password_packet(port);`
`418`	`422`	`break;`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`*`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/2011:48:26 mha Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/2020:45:30 momjian Exp $`
`14`	`14`	`*`
`15`	`15`	`*-------------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -846,7 +846,16 @@ parse_hba_line(List line, int line_num, HbaLine parsedline)`
`846`	`846`	`elseif (strcmp(token, "reject")==0)`
`847`	`847`	`parsedline->auth_method=uaReject;`
`848`	`848`	`elseif (strcmp(token, "md5")==0)`
	`849`	`+{`
	`850`	`+if (Db_user_namespace)`
	`851`	`+{`
	`852`	`+ereport(LOG,`
	`853`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`854`	`+errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));`
	`855`	`+return false;`
	`856`	`+}`
`849`	`857`	`parsedline->auth_method=uaMD5;`
	`858`	`+}`
`850`	`859`	`elseif (strcmp(token, "pam")==0)`
`851`	`860`	`#ifdefUSE_PAM`
`852`	`861`	`parsedline->auth_method=uaPAM;`

Comments

(0)