Re: [HACKERS] User authentication bug?
Maarten Boekhold <maartenb@dutepp0.et.tudelft.nl>
From: Maarten Boekhold <maartenb@dutepp0.et.tudelft.nl>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: M.Boekhold@ITS.TUDelft.NL, pgsql-hackers@postgreSQL.org, pgsql-interfaces@postgreSQL.org, pgsql-patches@postgreSQL.org
Date: 1998-08-02T11:42:29Z
Lists: pgsql-hackers
On Sat, 1 Aug 1998, Tom Lane wrote: > Maarten Boekhold <maartenb@dutepp2.et.tudelft.nl> writes: > > OK, I now know what's going on, at least at my home (I had this problem > > on another server, dunno if it's caused by the same thing): > > I had a password longer than 8 characters in pg_shadow. > > when creating a user, postgres happily accepts more than 8 chars, and > > also stores them. apparently libpq-fe (or psql, dunno) only sends 8 > > chars. > > It's not libpq's fault (at least not with the current sources). > It's psql's. psql.c had a hardwired limit of 8 characters on > both the username and the password. Ick. > > With the attached patch, I have verified that long (> 8char anyway) > usernames and passwords work correctly in both "password" and "crypt" > authorization mode. NOTE: at least on my machine, it seems that the > crypt() routines ignore the part of the password beyond 8 characters, > so there's no security gain from longer passwords in crypt auth mode. > But they don't fail. .... > > It's possible that there are still bogus length limits on username > or password in some of the other PostgreSQL user interfaces besides > psql/libpq. I will leave it to other folks to check that code. I think the perl-module behaves the same, but I'm not totally sure about it. I have a script where passing a 9 chars username to PQconnectdb() fails to connect to a backend, while if I truncate the username to 8 chars it works. Maarten _____________________________________________________________________________ | TU Delft, The Netherlands, Faculty of Information Technology and Systems | | Department of Electrical Engineering | | Computer Architecture and Digital Technique section | | M.Boekhold@et.tudelft.nl | -----------------------------------------------------------------------------