From bcb0ccf5be9ef9e1a76968e773cb2bd11565ef9c Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Thu, 16 Aug 2001 16:24:16 +0000
Subject: [PATCH] Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.
---
doc/src/sgml/client-auth.sgml | 35 ++++++++++++++++++----------
doc/src/sgml/jdbc.sgml | 4 ++--
src/backend/libpq/auth.c | 15 +++++-------
src/backend/libpq/hba.c | 7 +++---
src/backend/libpq/pg_hba.conf.sample | 12 ++++++----
src/include/libpq/hba.h | 5 ++--
6 files changed, 44 insertions(+), 34 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a7c9c8616b3..76cba407515 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@@ -194,25 +194,36 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para>
The password is sent over the wire in clear text. For better
- protection, use the <literal>crypt</literal> method.
+ protection, use the <literal>md5</literal> or
+ <literal>crypt</literal> methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>crypt</>
+ <term>md5</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
- <literal>crypt</literal> keyword. It contains a list of users
+ <literal>md5</literal> keyword. It contains a list of users
for this record.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>crypt</>
+ <listitem>
+ <para>
+ Like the <literal>md5</literal> method but uses older crypt
+ authentication for pre-7.2 clients.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>krb4</>
<listitem>
@@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:
-host template1 192.168.12.10 255.255.255.255 crypt
+host template1 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
@@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
- To restrict the set of users that are allowed to connect to
- certain databases, list the set of users in a separate file (one
- user name per line) in the same directory that
- <filename>pg_hba.conf</> is in, and mention the (base) name of the
- file after the <literal>password</> or <literal>crypt</> keyword,
+ To restrict the set of users that are allowed to connect to certain
+ databases, list the set of users in a separate file (one user name
+ per line) in the same directory that <filename>pg_hba.conf</> is in,
+ and mention the (base) name of the file after the
+ <literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
respectively, in <filename>pg_hba.conf</>. If you do not use this
feature, then any user that is known to the database system can
connect to any database (so long as he passes password
@@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
- Alternative passwords cannot be used when using the
- <literal>crypt</> method. The file will still be evaluated as
+ Alternative passwords cannot be used when using the <literal>md5</>
+ or <literal>crypt</> methods. The file will still be evaluated as
usual but the password field will simply be ignored and the
<literal>pg_shadow</> password will be used.
</para>
diff --git a/doc/src/sgml/jdbc.sgml b/doc/src/sgml/jdbc.sgml
index 0d02c039672..3063ee432df 100644
--- a/doc/src/sgml/jdbc.sgml
+++ b/doc/src/sgml/jdbc.sgml
@@ -1,5 +1,5 @@
<!--
-$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
-->
<chapter id="jdbc">
@@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
<filename>pg_hba.conf</filename> file may need to be configured.
Refer to the <citetitle>Administrator's Guide</citetitle> for
details. The <acronym>JDBC</acronym> Driver supports trust,
- ident, password, and crypt authentication methods.
+ ident, password, and md5, crypt authentication methods.
</para>
</sect2>
</sect1>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 2fd417e6130..c139f93f715 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
status = recv_and_check_password_packet(port);
break;
- case uaMD5:
- sendAuthRequest(port, AUTH_REQ_MD5);
- if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
- break;
- port->auth_method = uaCrypt;
- /* Try crypt() for old client */
- /* FALL THROUGH */
-
case uaCrypt:
sendAuthRequest(port, AUTH_REQ_CRYPT);
status = recv_and_check_password_packet(port);
break;
+ case uaMD5:
+ sendAuthRequest(port, AUTH_REQ_MD5);
+ status = recv_and_check_password_packet(port);
+ break;
+
case uaTrust:
status = STATUS_OK;
break;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f9e7898fb1a..cfafa712e12 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
*userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0)
*userauth_p = uaReject;
- else if (strcmp(token, "crypt") == 0)
- /* Try MD5 first; on failure, switch to crypt() */
+ else if (strcmp(token, "md5") == 0)
*userauth_p = uaMD5;
+ else if (strcmp(token, "crypt") == 0)
+ *userauth_p = uaCrypt;
else
*error_p = true;
line = lnext(line);
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index a489b78a70b..d7498717b59 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -115,13 +115,15 @@
# utility. Remember, these passwords override pg_shadow
# passwords.
#
-# crypt: Same as "password", but authentication is done by
+# md5: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is
# always preferable to "password" except for old clients
-# that don't support "crypt". Also, crypt can use
-# usernames stored in secondary password files but not
-# secondary passwords.
+# that don't support it. Also, md5 can use usernames stored
+# in secondary password files but not secondary passwords.
#
+# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
+# not store encrypted passwords if you use this option.
+#
# ident: For TCP/IP connections, authentication is done by contacting
# the ident server on the client host. (CAUTION: this is only
# as secure as the client machine!) On machines that support
@@ -173,7 +175,7 @@
# if the user's password in pg_shadow is correctly supplied:
#
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
-# host template1 192.168.12.10 255.255.255.255 crypt
+# host template1 192.168.12.10 255.255.255.255 md5
#
# In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 11f052d3634..da506d7aee8 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
* Interface to hba.c
*
*
- * $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
+ * $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -36,8 +36,7 @@ typedef enum UserAuth
uaIdent,
uaPassword,
uaCrypt,
- uaMD5 /* This starts as uaCrypt from pg_hba.conf, but gets
- overridden if the client supports MD5 */
+ uaMD5
} UserAuth;
typedef struct Port hbaPort;
--
GitLab