Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc1c888a

Browse files
committed
Code review for MD5 authorization patch. Clean up some breakage
(salts were always zero!?), add much missing documentation.
1 parent4e77b4a commitc1c888a

File tree

13 files changed

+269
-153
lines changed

13 files changed

+269
-153
lines changed

‎doc/src/sgml/client-auth.sgml‎

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.19 2001/09/09 23:52:12 petere Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.20 2001/09/21 20:31:41 tgl Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -219,7 +219,13 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
219219
<listitem>
220220
<para>
221221
Like the <literal>md5</literal> method but uses older crypt
222-
authentication for pre-7.2 clients.
222+
authentication for pre-7.2 clients. <literal>md5</literal>
223+
is preferred, unless you need to support old clients that
224+
do not have <literal>md5</literal>. The <literal>crypt</>
225+
method is not compatible with encrypting passwords in
226+
<filename>pg_shadow</>, and it has been observed to fail
227+
when client and server machines have different implementations
228+
of the crypt() library routine.
223229
</para>
224230
</listitem>
225231
</varlistentry>
@@ -284,7 +290,7 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
284290
<term><literal>pam</></term>
285291
<listitem>
286292
<para>
287-
This authentication type operatessimilar to
293+
This authentication type operatessimilarly to
288294
<firstterm>password</firstterm>, with the main difference that
289295
it will use PAM (Pluggable Authentication Modules) as the
290296
authentication mechanism. The <replaceable>authentication
@@ -448,9 +454,9 @@ host all 192.168.0.0 255.255.0.0 ident omicron
448454

449455
<para>
450456
Alternative passwords cannot be used when using the <literal>md5</>
451-
or <literal>crypt</> methods. The file willstillbeevaluated as
452-
usual but the password field will simply be ignored and the
453-
<literal>pg_shadow</> password will be used.
457+
or <literal>crypt</> methods. The file will beread as
458+
usual, but the password field will simply be ignored and the
459+
<literal>pg_shadow</> password willalwaysbe used.
454460
</para>
455461

456462
<para>

‎doc/src/sgml/protocol.sgml‎

Lines changed: 155 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/protocol.sgml,v 1.20 2001/09/13 15:55:23 petere Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/protocol.sgml,v 1.21 2001/09/21 20:31:42 tgl Exp $ -->
22

33
<chapter id="protocol">
44
<title>Frontend/Backend Protocol</title>
@@ -142,27 +142,59 @@
142142
</VarListEntry>
143143

144144
<VarListEntry>
145-
<Term>AuthenticationUnencryptedPassword</Term>
145+
<Term>AuthenticationCleartextPassword</Term>
146146
<ListItem>
147147
<Para>
148-
The frontend must then send an UnencryptedPasswordPacket. If
148+
The frontend must then send a PasswordPacket containing the
149+
password in clear-text form. If
149150
this is the correct password, the server responds with an
150151
AuthenticationOk, otherwise it responds with an ErrorResponse.
151152
</Para>
152153
</ListItem>
153154
</VarListEntry>
154155

155156
<VarListEntry>
156-
<Term>AuthenticationEncryptedPassword</Term>
157+
<Term>AuthenticationCryptPassword</Term>
157158
<ListItem>
158159
<Para>
159-
The frontend must then send an EncryptedPasswordPacket. If
160+
The frontend must then send a PasswordPacket containing the
161+
password encrypted via crypt(3), using the 2-character salt
162+
specified in the AuthenticationCryptPassword packet. If
160163
this is the correct password, the server responds with an
161164
AuthenticationOk, otherwise it responds with an ErrorResponse.
162165
</Para>
163166
</ListItem>
164167
</VarListEntry>
165168

169+
<VarListEntry>
170+
<Term>AuthenticationMD5Password</Term>
171+
<ListItem>
172+
<Para>
173+
The frontend must then send a PasswordPacket containing the
174+
password encrypted via MD5, using the 4-character salt
175+
specified in the AuthenticationMD5Password packet. If
176+
this is the correct password, the server responds with an
177+
AuthenticationOk, otherwise it responds with an ErrorResponse.
178+
</Para>
179+
</ListItem>
180+
</VarListEntry>
181+
182+
<VarListEntry>
183+
<Term>AuthenticationSCMCredential</Term>
184+
<ListItem>
185+
<Para>
186+
This method is only possible for local Unix-domain connections
187+
on platforms that support SCM credential messages. The frontend
188+
must issue an SCM credential message and then send a single data
189+
byte. (The contents of the data byte are uninteresting; it's
190+
only used to ensure that the server waits long enough to receive
191+
the credential message.) If the credential is acceptable,
192+
the server responds with an
193+
AuthenticationOk, otherwise it responds with an ErrorResponse.
194+
</Para>
195+
</ListItem>
196+
</VarListEntry>
197+
166198
</VariableList>
167199
</Para>
168200

@@ -857,7 +889,7 @@ AuthenticationKerberosV5 (B)
857889
</VarListEntry>
858890
<VarListEntry>
859891
<Term>
860-
AuthenticationUnencryptedPassword (B)
892+
AuthenticationCleartextPassword (B)
861893
</Term>
862894
<ListItem>
863895
<Para>
@@ -879,19 +911,18 @@ AuthenticationUnencryptedPassword (B)
879911
</Term>
880912
<ListItem>
881913
<Para>
882-
Specifies thatan unencrypted password is required.
914+
Specifies thata cleartext password is required.
883915
</Para>
884916
</ListItem>
885917
</VarListEntry>
886918
</VariableList>
887-
888-
889919
</Para>
890920
</ListItem>
891921
</VarListEntry>
922+
892923
<VarListEntry>
893924
<Term>
894-
AuthenticationEncryptedPassword (B)
925+
AuthenticationCryptPassword (B)
895926
</Term>
896927
<ListItem>
897928
<Para>
@@ -913,7 +944,7 @@ AuthenticationEncryptedPassword (B)
913944
</Term>
914945
<ListItem>
915946
<Para>
916-
Specifies thatanencrypted password is required.
947+
Specifies thata crypt()-encrypted password is required.
917948
</Para>
918949
</ListItem>
919950
</VarListEntry>
@@ -932,6 +963,85 @@ AuthenticationEncryptedPassword (B)
932963
</Para>
933964
</ListItem>
934965
</VarListEntry>
966+
967+
<VarListEntry>
968+
<Term>
969+
AuthenticationMD5Password (B)
970+
</Term>
971+
<ListItem>
972+
<Para>
973+
974+
<VariableList>
975+
<VarListEntry>
976+
<Term>
977+
Byte1('R')
978+
</Term>
979+
<ListItem>
980+
<Para>
981+
Identifies the message as an authentication request.
982+
</Para>
983+
</ListItem>
984+
</VarListEntry>
985+
<VarListEntry>
986+
<Term>
987+
Int32(5)
988+
</Term>
989+
<ListItem>
990+
<Para>
991+
Specifies that an MD5-encrypted password is required.
992+
</Para>
993+
</ListItem>
994+
</VarListEntry>
995+
<VarListEntry>
996+
<Term>
997+
Byte4
998+
</Term>
999+
<ListItem>
1000+
<Para>
1001+
The salt to use when encrypting the password.
1002+
</Para>
1003+
</ListItem>
1004+
</VarListEntry>
1005+
</VariableList>
1006+
1007+
</Para>
1008+
</ListItem>
1009+
</VarListEntry>
1010+
1011+
<VarListEntry>
1012+
<Term>
1013+
AuthenticationSCMCredential (B)
1014+
</Term>
1015+
<ListItem>
1016+
<Para>
1017+
1018+
<VariableList>
1019+
<VarListEntry>
1020+
<Term>
1021+
Byte1('R')
1022+
</Term>
1023+
<ListItem>
1024+
<Para>
1025+
Identifies the message as an authentication request.
1026+
</Para>
1027+
</ListItem>
1028+
</VarListEntry>
1029+
<VarListEntry>
1030+
<Term>
1031+
Int32(6)
1032+
</Term>
1033+
<ListItem>
1034+
<Para>
1035+
Specifies that an SCM credentials message is required.
1036+
</Para>
1037+
</ListItem>
1038+
</VarListEntry>
1039+
</VariableList>
1040+
1041+
</Para>
1042+
</ListItem>
1043+
</VarListEntry>
1044+
9351045
<VarListEntry>
9361046
<Term>
9371047
BackendKeyData (B)
@@ -1271,40 +1381,7 @@ EmptyQueryResponse (B)
12711381
</Para>
12721382
</ListItem>
12731383
</VarListEntry>
1274-
<VarListEntry>
1275-
<Term>
1276-
EncryptedPasswordPacket (F)
1277-
</Term>
1278-
<ListItem>
1279-
<Para>
1280-
1281-
<VariableList>
1282-
<VarListEntry>
1283-
<Term>
1284-
Int32
1285-
</Term>
1286-
<ListItem>
1287-
<Para>
1288-
The size of the packet in bytes.
1289-
</Para>
1290-
</ListItem>
1291-
</VarListEntry>
1292-
<VarListEntry>
1293-
<Term>
1294-
String
1295-
</Term>
1296-
<ListItem>
1297-
<Para>
1298-
The encrypted (using MD5 or crypt()) password.
1299-
</Para>
1300-
</ListItem>
1301-
</VarListEntry>
1302-
</VariableList>
13031384

1304-
1305-
</Para>
1306-
</ListItem>
1307-
</VarListEntry>
13081385
<VarListEntry>
13091386
<Term>
13101387
ErrorResponse (B)
@@ -1599,9 +1676,43 @@ NotificationResponse (B)
15991676
</VariableList>
16001677

16011678

1679+
</Para>
1680+
</ListItem>
1681+
</VarListEntry>
1682+
1683+
<VarListEntry>
1684+
<Term>
1685+
PasswordPacket (F)
1686+
</Term>
1687+
<ListItem>
1688+
<Para>
1689+
1690+
<VariableList>
1691+
<VarListEntry>
1692+
<Term>
1693+
Int32
1694+
</Term>
1695+
<ListItem>
1696+
<Para>
1697+
The size of the packet in bytes.
16021698
</Para>
16031699
</ListItem>
16041700
</VarListEntry>
1701+
<VarListEntry>
1702+
<Term>
1703+
String
1704+
</Term>
1705+
<ListItem>
1706+
<Para>
1707+
The password (encrypted, if requested).
1708+
</Para>
1709+
</ListItem>
1710+
</VarListEntry>
1711+
</VariableList>
1712+
</Para>
1713+
</ListItem>
1714+
</VarListEntry>
1715+
16051716
<VarListEntry>
16061717
<Term>
16071718
Query (F)
@@ -1852,39 +1963,7 @@ Terminate (F)
18521963
</Para>
18531964
</ListItem>
18541965
</VarListEntry>
1855-
<VarListEntry>
1856-
<Term>
1857-
UnencryptedPasswordPacket (F)
1858-
</Term>
1859-
<ListItem>
1860-
<Para>
1861-
1862-
<VariableList>
1863-
<VarListEntry>
1864-
<Term>
1865-
Int32
1866-
</Term>
1867-
<ListItem>
1868-
<Para>
1869-
The size of the packet in bytes.
1870-
</Para>
1871-
</ListItem>
1872-
</VarListEntry>
1873-
<VarListEntry>
1874-
<Term>
1875-
String
1876-
</Term>
1877-
<ListItem>
1878-
<Para>
1879-
The unencrypted password.
1880-
</Para>
1881-
</ListItem>
1882-
</VarListEntry>
1883-
</VariableList>
18841966

1885-
</Para>
1886-
</ListItem>
1887-
</VarListEntry>
18881967
</VariableList>
18891968

18901969
</sect1>

‎doc/src/sgml/ref/alter_user.sgml‎

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.16 2001/09/03 12:57:49 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.17 2001/09/21 20:31:45 tgl Exp $
33
Postgres documentation
44
-->
55

@@ -53,13 +53,23 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
5353
</varlistentry>
5454

5555
<varlistentry>
56-
<term><replaceable class="PARAMETER">[ encrypted | unencrypted ]password</replaceable></term>
56+
<term><replaceable class="PARAMETER">password</replaceable></term>
5757
<listitem>
5858
<para>
5959
The new password to be used for this account.
60-
<literal>Encrypted</literal>/ <literal>unencrypted</literal>
61-
controls whether the password is stored encrypted in the
62-
database.
60+
</para>
61+
</listitem>
62+
</varlistentry>
63+
64+
<varlistentry>
65+
<term>ENCRYPTED</term>
66+
<term>UNENCRYPTED</term>
67+
<listitem>
68+
<para>
69+
These keywords control whether the
70+
password is stored encrypted in <literal>pg_shadow</>. (See
71+
<xref linkend="SQL-CREATEUSER" endterm="SQL-CREATEUSER-title">
72+
for more information about this choice.)
6373
</para>
6474
</listitem>
6575
</varlistentry>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp