pg_hba.conf "password" authentication broken?
От | Jim Mercer |
---|---|
Тема | pg_hba.conf "password" authentication broken? |
Дата | |
Msg-id | 20010330195112.N29550@reptiles.org обсуждение исходный текст |
Список | pgsql-hackers |
if i use type "crypt", the backend assumes that the client is handing it an already encrypted passwd, and then compares it to an encrypted version of pg_shadow->passwd. and if i use type "password filename", the backend assumes a clear text password from the client, and then compares an encrypted version of that to the normal contents of the second field of "filename". however, if i use type "password", it just does a clear text comparison of the password from the client and the password in pg_shadow. attached are patches which allow for a special case type "password pg_shadow", which similar to supplying a filename, actually encrypts the cleartext password from the client, and compares it to the normal contents of pg_shadow. this allows the storage of encrypted passwords in pg_shadow. i was unable to determine any other way of not storing clear text passwords in pg_shadow. i implemented this in such a way that it will not impact existing installations. -- [ Jim Mercer jim@pneumonoultramicroscopicsilicovolcanoconiosis.ca ] [ Reptilian Research -- Longer Life through Colder Blood ] [ aka jim@reptiles.org +1 416 410-5633 ] *** auth.c.orig Fri Mar 30 19:37:08 2001 --- auth.c Fri Mar 30 19:28:20 2001 *************** *** 695,701 **** static int checkPassword(Port *port, char *user, char *password) { ! if (port->auth_method == uaPassword && port->auth_arg[0] != '\0') return verify_password(port->auth_arg, user,password); return crypt_verify(port, user, password); --- 695,702 ---- static int checkPassword(Port *port, char *user, char *password) { ! if (port->auth_method == uaPassword && port->auth_arg[0] != '\0' ! && strcmp(port->auth_arg, "pg_shadow") != 0) return verify_password(port->auth_arg, user, password); return crypt_verify(port, user, password); *** crypt.c.orig Fri Mar 30 19:38:26 2001 --- crypt.c Fri Mar 30 19:39:07 2001 *************** *** 280,287 **** * authentication method being used for this connection. */ ! crypt_pwd = ! (port->auth_method == uaCrypt ? crypt(passwd, port->salt) : passwd); if (!strcmp(pgpass, crypt_pwd)) { --- 280,294 ---- * authentication method being used for this connection. */ ! if (port->auth_method == uaCrypt) ! crypt_pwd = crypt(passwd, port->salt); ! else ! { ! /* if port->auth_arg, encrypt password from client before compare */ ! if (port->auth_arg[0] != 0) ! pgpass = crypt(pgpass, passwd); ! crypt_pwd = passwd; ! } if (!strcmp(pgpass, crypt_pwd)) {
В списке pgsql-hackers по дате отправления: