NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitbcb0ccf

committed

Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.

1 parentf7eedfd commitbcb0ccfCopy full SHA for bcb0ccf

File tree

6 files changed

+44

-34

lines changed

doc/src/sgml
- client-auth.sgml
- jdbc.sgml
src
- backend/libpq
- include/libpq
  - hba.h

6 files changed

+44

-34

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 23 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->`
	`1`	`+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="client-authentication">`
`4`	`4`	`<title>Client Authentication</title>`
`@@ -194,25 +194,36 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable`
`194`	`194`
`195`	`195`	`<para>`
`196`	`196`	`The password is sent over the wire in clear text. For better`
`197`		`- protection, use the <literal>crypt</literal> method.`
	`197`	`+ protection, use the <literal>md5</literal> or`
	`198`	`+ <literal>crypt</literal> methods.`
`198`	`199`	`</para>`
`199`	`200`	`</listitem>`
`200`	`201`	`</varlistentry>`
`201`	`202`
`202`	`203`	`<varlistentry>`
`203`		`- <term>crypt</>`
	`204`	`+ <term>md5</>`
`204`	`205`	`<listitem>`
`205`	`206`	`<para>`
`206`	`207`	`Like the <literal>password</literal> method, but the password`
`207`	`208`	`is sent over the wire encrypted using a simple`
`208`	`209`	`challenge-response protocol. This protects against incidental`
`209`	`210`	`wire-sniffing. The name of a file may follow the`
`210`		`- <literal>crypt</literal> keyword. It contains a list of users`
	`211`	`+ <literal>md5</literal> keyword. It contains a list of users`
`211`	`212`	`for this record.`
`212`	`213`	`</para>`
`213`	`214`	`</listitem>`
`214`	`215`	`</varlistentry>`
`215`	`216`
	`217`	`+ <varlistentry>`
	`218`	`+ <term>crypt</>`
	`219`	`+ <listitem>`
	`220`	`+ <para>`
	`221`	`+ Like the <literal>md5</literal> method but uses older crypt`
	`222`	`+ authentication for pre-7.2 clients.`
	`223`	`+ </para>`
	`224`	`+ </listitem>`
	`225`	`+ </varlistentry>`
	`226`	`+`
`216`	`227`	`<varlistentry>`
`217`	`228`	`<term>krb4</>`
`218`	`229`	`<listitem>`
`@@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser`
`328`	`339`	`# Allow a user from host 192.168.12.10 to connect to database "template1"`
`329`	`340`	`# if the user's password in pg_shadow is correctly supplied:`
`330`	`341`
`331`		`-host template1 192.168.12.10 255.255.255.255crypt`
	`342`	`+host template1 192.168.12.10 255.255.255.255md5`
`332`	`343`
`333`	`344`	`# In the absence of preceding "host" lines, these two lines will reject`
`334`	`345`	`# all connection attempts from 192.168.54.1 (since that entry will be`
`@@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron`
`377`	`388`	`</para>`
`378`	`389`
`379`	`390`	`<para>`
`380`		`- To restrict the set of users that are allowed to connect to`
`381`		`-certaindatabases, list the set of users in a separate file (one`
`382`		`-user nameper line) in the same directory that`
`383`		`-<filename>pg_hba.conf</> is in,and mention the (base) name of the`
`384`		`-file after the<literal>password</> or <literal>crypt</> keyword,`
	`391`	`+ To restrict the set of users that are allowed to connect to certain`
	`392`	`+ databases, list the set of users in a separate file (one user name`
	`393`	`+ per line) in the same directory that <filename>pg_hba.conf</> is in,`
	`394`	`+ and mention the (base) name of the file after the`
	`395`	`+ <literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,`
`385`	`396`	`respectively, in <filename>pg_hba.conf</>. If you do not use this`
`386`	`397`	`feature, then any user that is known to the database system can`
`387`	`398`	`connect to any database (so long as he passes password`
`@@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron`
`414`	`425`	`</para>`
`415`	`426`
`416`	`427`	`<para>`
`417`		`- Alternative passwords cannot be used when using the`
`418`		`- <literal>crypt</>method. The file will still be evaluated as`
	`428`	`+ Alternative passwords cannot be used when using the <literal>md5</>`
	`429`	`+or<literal>crypt</>methods. The file will still be evaluated as`
`419`	`430`	`usual but the password field will simply be ignored and the`
`420`	`431`	`<literal>pg_shadow</> password will be used.`
`421`	`432`	`</para>`

`‎doc/src/sgml/jdbc.sgml`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $`
	`2`	`+$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<chapter id="jdbc">`
`@@ -162,7 +162,7 @@ java uk.org.retep.finder.Main`
`162`	`162`	`<filename>pg_hba.conf</filename> file may need to be configured.`
`163`	`163`	`Refer to the <citetitle>Administrator's Guide</citetitle> for`
`164`	`164`	`details. The <acronym>JDBC</acronym> Driver supports trust,`
`165`		`- ident, password, and crypt authentication methods.`
	`165`	`+ ident, password, andmd5,crypt authentication methods.`
`166`	`166`	`</para>`
`167`	`167`	`</sect2>`
`168`	`168`	`</sect1>`

`‎src/backend/libpq/auth.c`

Lines changed: 6 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/1604:27:18 momjian Exp $`
	`11`	`+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/1616:24:15 momjian Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -501,19 +501,16 @@ ClientAuthentication(Port *port)`
`501`	`501`	`status=recv_and_check_password_packet(port);`
`502`	`502`	`break;`
`503`	`503`
`504`		`-caseuaMD5:`
`505`		`-sendAuthRequest(port,AUTH_REQ_MD5);`
`506`		`-if ((status=recv_and_check_password_packet(port))==STATUS_OK)`
`507`		`-break;`
`508`		`-port->auth_method=uaCrypt;`
`509`		`-/* Try crypt() for old client */`
`510`		`-/* FALL THROUGH */`
`511`		`-`
`512`	`504`	`caseuaCrypt:`
`513`	`505`	`sendAuthRequest(port,AUTH_REQ_CRYPT);`
`514`	`506`	`status=recv_and_check_password_packet(port);`
`515`	`507`	`break;`
`516`	`508`
	`509`	`+caseuaMD5:`
	`510`	`+sendAuthRequest(port,AUTH_REQ_MD5);`
	`511`	`+status=recv_and_check_password_packet(port);`
	`512`	`+break;`
	`513`	`+`
`517`	`514`	`caseuaTrust:`
`518`	`515`	`status=STATUS_OK;`
`519`	`516`	`break;`

`‎src/backend/libpq/hba.c`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`*`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/1604:27:18 momjian Exp $`
	`13`	`+ * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/1616:24:15 momjian Exp $`
`14`	`14`	`*`
`15`	`15`	`*-------------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -226,9 +226,10 @@ parse_hba_auth(List line, ProtocolVersion proto, UserAuth userauth_p,`
`226`	`226`	`*userauth_p=uaKrb5;`
`227`	`227`	`elseif (strcmp(token,"reject")==0)`
`228`	`228`	`*userauth_p=uaReject;`
`229`		`-elseif (strcmp(token,"crypt")==0)`
`230`		`-/* Try MD5 first; on failure, switch to crypt() */`
	`229`	`+elseif (strcmp(token,"md5")==0)`
`231`	`230`	`*userauth_p=uaMD5;`
	`231`	`+elseif (strcmp(token,"crypt")==0)`
	`232`	`+*userauth_p=uaCrypt;`
`232`	`233`	`else`
`233`	`234`	`*error_p= true;`
`234`	`235`	`line=lnext(line);`

`‎src/backend/libpq/pg_hba.conf.sample`

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -115,13 +115,15 @@`
`115`	`115`	`# utility. Remember, these passwords override pg_shadow`
`116`	`116`	`# passwords.`
`117`	`117`	`#`
`118`		`-#crypt: Same as "password", but authentication is done by`
	`118`	`+#md5: Same as "password", but authentication is done by`
`119`	`119`	`#encrypting the password sent over the network. This is`
`120`	`120`	`#always preferable to "password" except for old clients`
`121`		`-#that don't support "crypt". Also, crypt can use`
`122`		`-#usernames stored in secondary password files but not`
`123`		`-#secondary passwords.`
	`121`	`+#that don't support it. Also, md5 can use usernames stored`
	`122`	`+#in secondary password files but not secondary passwords.`
`124`	`123`	`#`
	`124`	`+# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can`
	`125`	`+#not store encrypted passwords if you use this option.`
	`126`	`+#`
`125`	`127`	`# ident:For TCP/IP connections, authentication is done by contacting`
`126`	`128`	`#the ident server on the client host. (CAUTION: this is only`
`127`	`129`	`#as secure as the client machine!) On machines that support`
`@@ -173,7 +175,7 @@`
`173`	`175`	`# if the user's password in pg_shadow is correctly supplied:`
`174`	`176`	`#`
`175`	`177`	`# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT`
`176`		`-# host template1 192.168.12.10 255.255.255.255crypt`
	`178`	`+# host template1 192.168.12.10 255.255.255.255md5`
`177`	`179`	`#`
`178`	`180`	`# In the absence of preceding "host" lines, these two lines will reject`
`179`	`181`	`# all connection from 192.168.54.1 (since that entry will be matched`

`‎src/include/libpq/hba.h`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`* Interface to hba.c`
`5`	`5`	`*`
`6`	`6`	`*`
`7`		`- * $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $`
	`7`	`+ * $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $`
`8`	`8`	`*`
`9`	`9`	`*-------------------------------------------------------------------------`
`10`	`10`	`*/`
`@@ -36,8 +36,7 @@ typedef enum UserAuth`
`36`	`36`	`uaIdent,`
`37`	`37`	`uaPassword,`
`38`	`38`	`uaCrypt,`
`39`		`-uaMD5/* This starts as uaCrypt from pg_hba.conf, but gets`
`40`		`-overridden if the client supports MD5 */`
	`39`	`+uaMD5`
`41`	`40`	`}UserAuth;`
`42`	`41`
`43`	`42`	`typedefstructPorthbaPort;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbcb0ccf

File tree

6 files changed

6 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎doc/src/sgml/jdbc.sgml`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/hba.c`

`‎src/backend/libpq/pg_hba.conf.sample`

`‎src/include/libpq/hba.h`

0 commit comments