Обсуждение: libpq / crypt / md5 question
I have a mail server using a PostgreSQL database for virtual lookups and I'm using Courier IMAP with the pgsql hooks for mailbox access.. First, this setup is working beautifully, that's not the problem.. It seems that courier can only connect to the PG database when the auth type is set to crypt in the pg_hba.conf file. This is somewhat strange but brings me to my question.. On the client side, am I responsible for making the password an MD5 hash, or does libpq take care of that on it's own? In courier's pgsql code I see : pgconn = PQsetdbLogin(server, server_port, server_opt, NULL , database,userid,password); ..... Which is pretty straight-forward, but that password is always going to be passed to pqsetdblogin() as plain text.. So where does the MD5'ing or DES crypt'ing come into the connection? I've honestly never paid any attention to the auth type until now as I've *always* used just a local socket for access to PG, or the trust auth type (none of my servers were public and accessible by more than a controlled group of users until now).. If I missed any of this in the documentation, please feel free to smack me with a RTFM stick. :-) Thanks guys! -Mitch There are three kinds of people in this world. Those that can count and those that can't.
Mitch Vincent <mitch@doot.org> writes:
> On the client side, am I responsible for making the password an MD5
> hash, or does libpq take care of that on it's own?
libpq does it. This is necessary, since the client shouldn't be
expected to know which way the password is to be encrypted on the wire.
The password given to libpq must always be cleartext.
> It seems that courier can only connect to the PG database when the auth
> type is set to crypt in the pg_hba.conf file. This is somewhat strange
I suspect it means that courier is linked to an old version of libpq.
regards, tom lane
I'm not sure how it's linking to an old libpq as it's a fresh install with only one install of PG but I will investigate now that I have the answer below.. Thanks Tom! Fast and helpful as always! Do you ever take a day off? :-) > Mitch Vincent <mitch@doot.org> writes: >> On the client side, am I responsible for making the password an MD5 >> hash, or does libpq take care of that on it's own? > > libpq does it. This is necessary, since the client shouldn't be > expected to know which way the password is to be encrypted on the wire. > The password given to libpq must always be cleartext. > >> It seems that courier can only connect to the PG database when the >> auth >> type is set to crypt in the pg_hba.conf file. This is somewhat strange > > I suspect it means that courier is linked to an old version of libpq. > > regards, tom lane > > -Mitch Freedom is the right to be wrong, not the right to do wrong.