From 170b66a0c5ed7b1921fb6119f0668136fecc0a05 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Thu, 20 Nov 2008 20:45:30 +0000
Subject: [PATCH] Issue a proper error message when MD5 is attempted when
db_user_namespace is enabled.
Also document this limitation.
---
doc/src/sgml/client-auth.sgml | 4 +++-
doc/src/sgml/config.sgml | 13 ++++++++++++-
src/backend/libpq/auth.c | 6 +++++-
src/backend/libpq/hba.c | 11 ++++++++++-
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f10a93953e1..4a8aea4d3a9 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/20 20:45:29 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@@ -712,6 +712,8 @@ omicron bryanh guest1
If you are at all concerned about password
<quote>sniffing</> attacks then <literal>md5</> is preferred.
Plain <literal>password</> should always be avoided if possible.
+ <literal>md5</> cannot be used with <xref
+ linkend="guc-db-user-namespace">.
</para>
<para>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7931ea87377..dcb7c51b25a 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
before the user name is looked up by the server.
</para>
+ <para>
+ <varname>db_user_namespace</> causes the client's and
+ server's user name representation to differ.
+ Authentication checks are always done with the server's user name
+ so authentication methods must be configured for the
+ server's user name, not the client's. Because
+ <literal>md5</> uses the user name as salt on both the
+ client and server, <literal>md5</> cannot be used with
+ <varname>db_user_namespace</>.
+ </para>
+
<note>
<para>
This feature is intended as a temporary measure until a
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 1d89e096820..9545ded268b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
break;
case uaMD5:
+ if (Db_user_namespace)
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 2464c5f6f94..a70d53a0e2d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
else if (strcmp(token, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token, "md5") == 0)
+ {
+ if (Db_user_namespace)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+ return false;
+ }
parsedline->auth_method = uaMD5;
+ }
else if (strcmp(token, "pam") == 0)
#ifdef USE_PAM
parsedline->auth_method = uaPAM;
--
GitLab