From 418697e051b36dcdcb1a07b79717e7c81629e36a Mon Sep 17 00:00:00 2001 From: Nathan Bossart Date: Fri, 12 Oct 2018 17:26:37 +0000 Subject: [PATCH v1 2/3] Add documentation regarding effective password length limits. --- doc/src/sgml/client-auth.sgml | 80 ++++++++++++++++++++++++++++++++++++ doc/src/sgml/libpq.sgml | 10 +++++ doc/src/sgml/ref/clusterdb.sgml | 16 ++++++++ doc/src/sgml/ref/createdb.sgml | 16 ++++++++ doc/src/sgml/ref/createuser.sgml | 21 ++++++++++ doc/src/sgml/ref/dropdb.sgml | 16 ++++++++ doc/src/sgml/ref/dropuser.sgml | 16 ++++++++ doc/src/sgml/ref/pg_basebackup.sgml | 16 ++++++++ doc/src/sgml/ref/pg_dump.sgml | 16 ++++++++ doc/src/sgml/ref/pg_dumpall.sgml | 16 ++++++++ doc/src/sgml/ref/pg_receivewal.sgml | 16 ++++++++ doc/src/sgml/ref/pg_recvlogical.sgml | 16 ++++++++ doc/src/sgml/ref/pg_restore.sgml | 16 ++++++++ doc/src/sgml/ref/psql-ref.sgml | 16 ++++++++ doc/src/sgml/ref/reindexdb.sgml | 16 ++++++++ doc/src/sgml/ref/vacuumdb.sgml | 16 ++++++++ 16 files changed, 319 insertions(+) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index c2114021c3..1ce581ae0a 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -994,6 +994,26 @@ omicron bryanh guest1 + + + While md5 passwords do not have a defined maximum length + and scram-sha-256 passwords may be up to 1024 characters + long, many client utilities (e.g. psql) will + truncate passwords provided via prompt to 99 characters. Longer passwords + may be specified using alternatives to password prompts such as the + .pgpass file () and the + PGPASSWORD environment variable + (). + + + Furthermore, it should be noted that the server restricts password messages + to an effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 authentication + methods, it may not be enough for passwords sent in clear-text via the + method password. + + + PostgreSQL database passwords are separate from operating system user passwords. The password for @@ -1482,6 +1502,21 @@ omicron bryanh guest1 two separate connections to the LDAP server to be made. + + + While PostgreSQL's LDAP authentication method does not have a defined + maximum password length, many client utilities (e.g. + psql) will truncate passwords provided via + prompt to 99 characters. Longer passwords may be specified using + alternatives to password prompts such as the .pgpass + file () and the PGPASSWORD + environment variable (). However, it should + be noted that the server restricts password messages to an effective limit + of 995 characters, which presents an upper bound to the length of passwords + that will work with LDAP authentication. + + + The following configuration options are used in both modes: @@ -1765,6 +1800,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse a single value, in which case this value will apply to all servers. + + + While PostgreSQL's RADIUS authentication method does not have a defined + maximum password length, many client utilities (e.g. + psql) will truncate passwords provided via + prompt to 99 characters. Longer passwords may be specified using + alternatives to password prompts such as the .pgpass + file () and the PGPASSWORD + environment variable (). However, it should + be noted that the server restricts password messages to an effective limit + of 995 characters, which presents an upper bound to the length of passwords + that will work with RADIUS authentication. + + + The following configuration options are supported for RADIUS: @@ -1893,6 +1943,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse Linux-PAM Page. + + + While PostgreSQL's PAM authentication method does not have a defined + maximum password length, many client utilities (e.g. + psql) will truncate passwords provided via + prompt to 99 characters. Longer passwords may be specified using + alternatives to password prompts such as the .pgpass + file () and the PGPASSWORD + environment variable (). However, it should + be noted that the server restricts password messages to an effective limit + of 995 characters, which presents an upper bound to the length of passwords + that will work with PAM authentication. + + + The following configuration options are supported for PAM: @@ -1956,6 +2021,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse exist, and PostgreSQL will use the default login class. + + + While PostgreSQL's BSD authentication method does not have a defined + maximum password length, many client utilities (e.g. + psql) will truncate passwords provided via + prompt to 99 characters. Longer passwords may be specified using + alternatives to password prompts such as the .pgpass + file () and the PGPASSWORD + environment variable (). However, it should + be noted that the server restricts password messages to an effective limit + of 995 characters, which presents an upper bound to the length of passwords + that will work with BSD authentication. + + + To use BSD Authentication, the PostgreSQL user account (that is, the diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 06d909e804..28d5c0e57c 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1102,6 +1102,16 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname Password to be used if the server demands password authentication. + + + The server restricts password messages to an effective limit of 995 + characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/clusterdb.sgml b/doc/src/sgml/ref/clusterdb.sgml index ed343dd7da..6b41910e8c 100644 --- a/doc/src/sgml/ref/clusterdb.sgml +++ b/doc/src/sgml/ref/clusterdb.sgml @@ -239,6 +239,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/createdb.sgml b/doc/src/sgml/ref/createdb.sgml index 2658efeb1a..dc995bb295 100644 --- a/doc/src/sgml/ref/createdb.sgml +++ b/doc/src/sgml/ref/createdb.sgml @@ -274,6 +274,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml index 22ee99f2cc..e1db7f96e6 100644 --- a/doc/src/sgml/ref/createuser.sgml +++ b/doc/src/sgml/ref/createuser.sgml @@ -213,6 +213,11 @@ PostgreSQL documentation the password of the new user. This is not necessary if you do not plan on using password authentication. + + + Passwords provided via prompt will be truncated to 99 characters. + + @@ -378,6 +383,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/dropdb.sgml b/doc/src/sgml/ref/dropdb.sgml index 38f38f01ce..5e96079d0d 100644 --- a/doc/src/sgml/ref/dropdb.sgml +++ b/doc/src/sgml/ref/dropdb.sgml @@ -194,6 +194,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml index 3d4e4b37b3..8904f68119 100644 --- a/doc/src/sgml/ref/dropuser.sgml +++ b/doc/src/sgml/ref/dropuser.sgml @@ -198,6 +198,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_basebackup.sgml b/doc/src/sgml/ref/pg_basebackup.sgml index c9f6ce4bb3..d97a859b53 100644 --- a/doc/src/sgml/ref/pg_basebackup.sgml +++ b/doc/src/sgml/ref/pg_basebackup.sgml @@ -641,6 +641,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml index 790e81c32c..96b16824a8 100644 --- a/doc/src/sgml/ref/pg_dump.sgml +++ b/doc/src/sgml/ref/pg_dump.sgml @@ -1172,6 +1172,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_dumpall.sgml b/doc/src/sgml/ref/pg_dumpall.sgml index c51a130f43..b8c489ef55 100644 --- a/doc/src/sgml/ref/pg_dumpall.sgml +++ b/doc/src/sgml/ref/pg_dumpall.sgml @@ -623,6 +623,22 @@ PostgreSQL documentation to be dumped. Usually, it's better to set up a ~/.pgpass file than to rely on manual password entry. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_receivewal.sgml b/doc/src/sgml/ref/pg_receivewal.sgml index a18ddd4bff..55c3580f04 100644 --- a/doc/src/sgml/ref/pg_receivewal.sgml +++ b/doc/src/sgml/ref/pg_receivewal.sgml @@ -325,6 +325,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_recvlogical.sgml b/doc/src/sgml/ref/pg_recvlogical.sgml index 141c5cddce..d052db8fa8 100644 --- a/doc/src/sgml/ref/pg_recvlogical.sgml +++ b/doc/src/sgml/ref/pg_recvlogical.sgml @@ -356,6 +356,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml index 725acb192c..726d53eba0 100644 --- a/doc/src/sgml/ref/pg_restore.sgml +++ b/doc/src/sgml/ref/pg_restore.sgml @@ -781,6 +781,22 @@ In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml index eb9d93a168..c49e925cc5 100644 --- a/doc/src/sgml/ref/psql-ref.sgml +++ b/doc/src/sgml/ref/psql-ref.sgml @@ -526,6 +526,22 @@ EOF and so it affects uses of the meta-command \connect as well as the initial connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password prompts + such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/reindexdb.sgml b/doc/src/sgml/ref/reindexdb.sgml index 1273dad807..ddc1b7cd56 100644 --- a/doc/src/sgml/ref/reindexdb.sgml +++ b/doc/src/sgml/ref/reindexdb.sgml @@ -307,6 +307,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + diff --git a/doc/src/sgml/ref/vacuumdb.sgml b/doc/src/sgml/ref/vacuumdb.sgml index 955a17a849..ca7ff34816 100644 --- a/doc/src/sgml/ref/vacuumdb.sgml +++ b/doc/src/sgml/ref/vacuumdb.sgml @@ -332,6 +332,22 @@ PostgreSQL documentation In some cases it is worth typing to avoid the extra connection attempt. + + + + Passwords provided via prompt will be truncated to 99 characters. + Longer passwords may be specified using alternatives to password + prompts such as the .pgpass file + () and the PGPASSWORD + environment variable (). However, it + should be noted that the server restricts password messages to an + effective limit of 995 characters. While this is enough for the + scram-sha-256 and md5 + authentication methods, it may not be enough for passwords sent in + clear-text via methods such as password. See + for more information. + + -- 2.16.2