Re: [HACKERS] User authentication bug?

On Sat, 1 Aug 1998, Tom Lane wrote:

> Maarten Boekhold <maartenb@dutepp2.et.tudelft.nl> writes:
> > OK, I now know what's going on, at least at my home (I had this problem
> > on another server, dunno if it's caused by the same thing):
> >     I had a password longer than 8 characters in pg_shadow.
> > when creating a user, postgres happily accepts more than 8 chars, and
> > also stores them. apparently libpq-fe (or psql, dunno) only sends 8
> > chars.
>
> It's not libpq's fault (at least not with the current sources).
> It's psql's.  psql.c had a hardwired limit of 8 characters on
> both the username and the password.  Ick.
>
> With the attached patch, I have verified that long (> 8char anyway)
> usernames and passwords work correctly in both "password" and "crypt"
> authorization mode.  NOTE: at least on my machine, it seems that the
> crypt() routines ignore the part of the password beyond 8 characters,
> so there's no security gain from longer passwords in crypt auth mode.
> But they don't fail.
....
>
> It's possible that there are still bogus length limits on username
> or password in some of the other PostgreSQL user interfaces besides
> psql/libpq.  I will leave it to other folks to check that code.

I think the perl-module behaves the same, but I'm not totally sure about
it. I have a script where passing a 9 chars username to PQconnectdb()
fails to connect to a backend, while if I truncate the username to 8
chars it works.

Maarten

_____________________________________________________________________________
| TU Delft, The Netherlands, Faculty of Information Technology and Systems  |
|                   Department of Electrical Engineering                    |
|           Computer Architecture and Digital Technique section             |
|                          M.Boekhold@et.tudelft.nl                         |
-----------------------------------------------------------------------------