Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbcb0ccf

Browse files
committed
Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.
1 parentf7eedfd commitbcb0ccf

File tree

6 files changed

+44
-34
lines changed

6 files changed

+44
-34
lines changed

‎doc/src/sgml/client-auth.sgml‎

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -194,25 +194,36 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
194194

195195
<para>
196196
The password is sent over the wire in clear text. For better
197-
protection, use the <literal>crypt</literal> method.
197+
protection, use the <literal>md5</literal> or
198+
<literal>crypt</literal> methods.
198199
</para>
199200
</listitem>
200201
</varlistentry>
201202

202203
<varlistentry>
203-
<term>crypt</>
204+
<term>md5</>
204205
<listitem>
205206
<para>
206207
Like the <literal>password</literal> method, but the password
207208
is sent over the wire encrypted using a simple
208209
challenge-response protocol. This protects against incidental
209210
wire-sniffing. The name of a file may follow the
210-
<literal>crypt</literal> keyword. It contains a list of users
211+
<literal>md5</literal> keyword. It contains a list of users
211212
for this record.
212213
</para>
213214
</listitem>
214215
</varlistentry>
215216

217+
<varlistentry>
218+
<term>crypt</>
219+
<listitem>
220+
<para>
221+
Like the <literal>md5</literal> method but uses older crypt
222+
authentication for pre-7.2 clients.
223+
</para>
224+
</listitem>
225+
</varlistentry>
226+
216227
<varlistentry>
217228
<term>krb4</>
218229
<listitem>
@@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
328339
# Allow a user from host 192.168.12.10 to connect to database "template1"
329340
# if the user's password in pg_shadow is correctly supplied:
330341

331-
host template1 192.168.12.10 255.255.255.255crypt
342+
host template1 192.168.12.10 255.255.255.255md5
332343

333344
# In the absence of preceding "host" lines, these two lines will reject
334345
# all connection attempts from 192.168.54.1 (since that entry will be
@@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
377388
</para>
378389

379390
<para>
380-
To restrict the set of users that are allowed to connect to
381-
certaindatabases, list the set of users in a separate file (one
382-
user nameper line) in the same directory that
383-
<filename>pg_hba.conf</> is in,and mention the (base) name of the
384-
file after the<literal>password</> or <literal>crypt</> keyword,
391+
To restrict the set of users that are allowed to connect to certain
392+
databases, list the set of users in a separate file (one user name
393+
per line) in the same directory that <filename>pg_hba.conf</> is in,
394+
and mention the (base) name of the file after the
395+
<literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
385396
respectively, in <filename>pg_hba.conf</>. If you do not use this
386397
feature, then any user that is known to the database system can
387398
connect to any database (so long as he passes password
@@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
414425
</para>
415426

416427
<para>
417-
Alternative passwords cannot be used when using the
418-
<literal>crypt</>method. The file will still be evaluated as
428+
Alternative passwords cannot be used when using the <literal>md5</>
429+
or<literal>crypt</>methods. The file will still be evaluated as
419430
usual but the password field will simply be ignored and the
420431
<literal>pg_shadow</> password will be used.
421432
</para>

‎doc/src/sgml/jdbc.sgml‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
33
-->
44

55
<chapter id="jdbc">
@@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
162162
<filename>pg_hba.conf</filename> file may need to be configured.
163163
Refer to the <citetitle>Administrator's Guide</citetitle> for
164164
details. The <acronym>JDBC</acronym> Driver supports trust,
165-
ident, password, and crypt authentication methods.
165+
ident, password, andmd5,crypt authentication methods.
166166
</para>
167167
</sect2>
168168
</sect1>

‎src/backend/libpq/auth.c‎

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/1604:27:18 momjian Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/1616:24:15 momjian Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
501501
status=recv_and_check_password_packet(port);
502502
break;
503503

504-
caseuaMD5:
505-
sendAuthRequest(port,AUTH_REQ_MD5);
506-
if ((status=recv_and_check_password_packet(port))==STATUS_OK)
507-
break;
508-
port->auth_method=uaCrypt;
509-
/* Try crypt() for old client */
510-
/* FALL THROUGH */
511-
512504
caseuaCrypt:
513505
sendAuthRequest(port,AUTH_REQ_CRYPT);
514506
status=recv_and_check_password_packet(port);
515507
break;
516508

509+
caseuaMD5:
510+
sendAuthRequest(port,AUTH_REQ_MD5);
511+
status=recv_and_check_password_packet(port);
512+
break;
513+
517514
caseuaTrust:
518515
status=STATUS_OK;
519516
break;

‎src/backend/libpq/hba.c‎

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/1604:27:18 momjian Exp $
13+
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/1616:24:15 momjian Exp $
1414
*
1515
*-------------------------------------------------------------------------
1616
*/
@@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
226226
*userauth_p=uaKrb5;
227227
elseif (strcmp(token,"reject")==0)
228228
*userauth_p=uaReject;
229-
elseif (strcmp(token,"crypt")==0)
230-
/* Try MD5 first; on failure, switch to crypt() */
229+
elseif (strcmp(token,"md5")==0)
231230
*userauth_p=uaMD5;
231+
elseif (strcmp(token,"crypt")==0)
232+
*userauth_p=uaCrypt;
232233
else
233234
*error_p= true;
234235
line=lnext(line);

‎src/backend/libpq/pg_hba.conf.sample‎

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -115,13 +115,15 @@
115115
# utility. Remember, these passwords override pg_shadow
116116
# passwords.
117117
#
118-
#crypt: Same as "password", but authentication is done by
118+
#md5: Same as "password", but authentication is done by
119119
#encrypting the password sent over the network. This is
120120
#always preferable to "password" except for old clients
121-
#that don't support "crypt". Also, crypt can use
122-
#usernames stored in secondary password files but not
123-
#secondary passwords.
121+
#that don't support it. Also, md5 can use usernames stored
122+
#in secondary password files but not secondary passwords.
124123
#
124+
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
125+
#not store encrypted passwords if you use this option.
126+
#
125127
# ident:For TCP/IP connections, authentication is done by contacting
126128
#the ident server on the client host. (CAUTION: this is only
127129
#as secure as the client machine!) On machines that support
@@ -173,7 +175,7 @@
173175
# if the user's password in pg_shadow is correctly supplied:
174176
#
175177
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
176-
# host template1 192.168.12.10 255.255.255.255crypt
178+
# host template1 192.168.12.10 255.255.255.255md5
177179
#
178180
# In the absence of preceding "host" lines, these two lines will reject
179181
# all connection from 192.168.54.1 (since that entry will be matched

‎src/include/libpq/hba.h‎

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* Interface to hba.c
55
*
66
*
7-
* $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
7+
* $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
88
*
99
*-------------------------------------------------------------------------
1010
*/
@@ -36,8 +36,7 @@ typedef enum UserAuth
3636
uaIdent,
3737
uaPassword,
3838
uaCrypt,
39-
uaMD5/* This starts as uaCrypt from pg_hba.conf, but gets
40-
overridden if the client supports MD5 */
39+
uaMD5
4140
}UserAuth;
4241

4342
typedefstructPorthbaPort;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp