Thread

  1. pg_hba.conf "password" authentication broken?

    Jim Mercer <jim@reptiles.org> — 2001-03-31T00:51:12Z

    if i use type "crypt", the backend assumes that the client is
    handing it an already encrypted passwd, and then compares it to an encrypted
    version of pg_shadow->passwd.
    
    and if i use type "password filename", the backend assumes a clear text
    password from the client, and then compares an encrypted version of that
    to the normal contents of the second field of "filename".
    
    however, if i use type "password", it just does a clear text comparison
    of the password from the client and the password in pg_shadow.
    
    attached are patches which allow for a special case type "password pg_shadow",
    which similar to supplying a filename, actually encrypts the cleartext
    password from the client, and compares it to the normal contents of pg_shadow.
    
    this allows the storage of encrypted passwords in pg_shadow.
    
    i was unable to determine any other way of not storing clear text passwords
    in pg_shadow.
    
    i implemented this in such a way that it will not impact existing
    installations.
    
    -- 
    [ Jim Mercer          jim@pneumonoultramicroscopicsilicovolcanoconiosis.ca ]
    [          Reptilian Research -- Longer Life through Colder Blood          ]
    [ aka                        jim@reptiles.org              +1 416 410-5633 ]
    
    
    *** auth.c.orig	Fri Mar 30 19:37:08 2001
    --- auth.c	Fri Mar 30 19:28:20 2001
    ***************
    *** 695,701 ****
      static int
      checkPassword(Port *port, char *user, char *password)
      {
    ! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0')
      		return verify_password(port->auth_arg, user, password);
      
      	return crypt_verify(port, user, password);
    --- 695,702 ----
      static int
      checkPassword(Port *port, char *user, char *password)
      {
    ! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0'
    ! 			&& strcmp(port->auth_arg, "pg_shadow") != 0)
      		return verify_password(port->auth_arg, user, password);
      
      	return crypt_verify(port, user, password);
    *** crypt.c.orig	Fri Mar 30 19:38:26 2001
    --- crypt.c	Fri Mar 30 19:39:07 2001
    ***************
    *** 280,287 ****
      	 * authentication method being used for this connection.
      	 */
      
    ! 	crypt_pwd =
    ! 		(port->auth_method == uaCrypt ? crypt(passwd, port->salt) : passwd);
      
      	if (!strcmp(pgpass, crypt_pwd))
      	{
    --- 280,294 ----
      	 * authentication method being used for this connection.
      	 */
      
    ! 	if (port->auth_method == uaCrypt)
    ! 		crypt_pwd = crypt(passwd, port->salt);
    ! 	else
    ! 	{
    ! 		/* if port->auth_arg, encrypt password from client before compare */
    ! 		if (port->auth_arg[0] != 0)
    ! 			pgpass = crypt(pgpass, passwd);
    ! 		crypt_pwd = passwd;
    ! 	}
      
      	if (!strcmp(pgpass, crypt_pwd))
      	{