mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-27 08:39:28 +08:00
Issue a proper error message when MD5 is attempted when
db_user_namespace is enabled. Also document this limitation.
This commit is contained in:
parent
176961c1f1
commit
170b66a0c5
@ -1,4 +1,4 @@
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/20 20:45:29 momjian Exp $ -->
|
||||
|
||||
<chapter id="client-authentication">
|
||||
<title>Client Authentication</title>
|
||||
@ -712,6 +712,8 @@ omicron bryanh guest1
|
||||
If you are at all concerned about password
|
||||
<quote>sniffing</> attacks then <literal>md5</> is preferred.
|
||||
Plain <literal>password</> should always be avoided if possible.
|
||||
<literal>md5</> cannot be used with <xref
|
||||
linkend="guc-db-user-namespace">.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -1,4 +1,4 @@
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->
|
||||
|
||||
<chapter Id="runtime-config">
|
||||
<title>Server Configuration</title>
|
||||
@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
|
||||
before the user name is looked up by the server.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<varname>db_user_namespace</> causes the client's and
|
||||
server's user name representation to differ.
|
||||
Authentication checks are always done with the server's user name
|
||||
so authentication methods must be configured for the
|
||||
server's user name, not the client's. Because
|
||||
<literal>md5</> uses the user name as salt on both the
|
||||
client and server, <literal>md5</> cannot be used with
|
||||
<varname>db_user_namespace</>.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
This feature is intended as a temporary measure until a
|
||||
|
@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
|
||||
break;
|
||||
|
||||
case uaMD5:
|
||||
if (Db_user_namespace)
|
||||
ereport(FATAL,
|
||||
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
||||
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
|
||||
sendAuthRequest(port, AUTH_REQ_MD5);
|
||||
status = recv_and_check_password_packet(port);
|
||||
break;
|
||||
|
@ -10,7 +10,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
|
||||
else if (strcmp(token, "reject") == 0)
|
||||
parsedline->auth_method = uaReject;
|
||||
else if (strcmp(token, "md5") == 0)
|
||||
{
|
||||
if (Db_user_namespace)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
||||
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
|
||||
return false;
|
||||
}
|
||||
parsedline->auth_method = uaMD5;
|
||||
}
|
||||
else if (strcmp(token, "pam") == 0)
|
||||
#ifdef USE_PAM
|
||||
parsedline->auth_method = uaPAM;
|
||||
|
Loading…
Reference in New Issue
Block a user