Problem - any password accepted
While experimenting just now, I seem to have found a weird problem with
passwords, in that _anything_ I type in is accepted as a valid password.
Here are the relevant bits of pg_hba.conf
# Database administrative login by UNIX sockets
local all postgres ident sameuser
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all ident sameuser
# IPv4 local connections:
hostnossl junk olly 127.0.0.1/32 trust
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
1. Unix socket access is fine - no password requested.
olly@linda:~$ psql junk
Welcome to psql 8.2.4, the PostgreSQL interactive terminal.
2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits
the next host line, which specifies an md5 password. Whatever I type is
accepted.
junk=# \q
olly@linda:~$ psql -h localhost junk
Password:
Welcome to psql 8.2.4, the PostgreSQL interactive terminal.
junk=# select * from pg_shadow;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+----------+-------------+----------+-----------+-------------------------------------+----------+-----------
postgres | 10 | t | t | t | | |
olly | 16384 | t | t | t | md5739e5b0ea17d0a2b9b58df4fad055a09 | |
(2 rows)
In the log I have:
2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res
et by peer
2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly"
but it has still let me in.
--
Oliver Elphick olly@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
Do you want to know God? http://www.lfix.co.uk/knowing_god.html
Oliver Elphick wrote:
While experimenting just now, I seem to have found a weird problem with
passwords, in that _anything_ I type in is accepted as a valid password.Here are the relevant bits of pg_hba.conf
# TYPE DATABASE USER CIDR-ADDRESS METHOD
hostnossl junk olly 127.0.0.1/32 trust
host all all 127.0.0.1/32 md5
2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits
the next host line, which specifies an md5 password. Whatever I type is
accepted.
In the log I have:
2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res
et by peer
2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly"but it has still let me in.
Is it not falling back to non-SSL access, and so letting you through
with "trust"?
With a libpq call you could set "sslmode", but I'm not sure if you can
do that from the command-line.
--
Richard Huxton
Archonet Ltd
On Wed, May 30, 2007 at 05:58:24PM +0100, Oliver Elphick wrote:
While experimenting just now, I seem to have found a weird problem with
passwords, in that _anything_ I type in is accepted as a valid password.
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# IPv4 local connections:
hostnossl junk olly 127.0.0.1/32 trust
Looks to me you're matching this line ^^^
2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits
the next host line, which specifies an md5 password. Whatever I type is
accepted.
When SSL fails, it retries as non-SSL.
In the log I have:
2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res
et by peer
2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly"
Those lines are the failure of the SSL connection, the successful
connection is just fine.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
Show quoted text
From each according to his ability. To each according to his ability to litigate.
On Wed, 2007-05-30 at 19:38 +0200, Martijn van Oosterhout wrote:
On Wed, May 30, 2007 at 05:58:24PM +0100, Oliver Elphick wrote:
While experimenting just now, I seem to have found a weird problem with
passwords, in that _anything_ I type in is accepted as a valid password.# TYPE DATABASE USER CIDR-ADDRESS METHOD
# IPv4 local connections:
hostnossl junk olly 127.0.0.1/32 trustLooks to me you're matching this line ^^^
2. TCP/IP access: this uses SSL so it skips the hostnossl line and hits
the next host line, which specifies an md5 password. Whatever I type is
accepted.When SSL fails, it retries as non-SSL.
In the log I have:
2007-05-30 17:54:59 BST LOG: could not receive data from client: Connection res
et by peer
2007-05-30 17:55:02 BST FATAL: password authentication failed for user "olly"Those lines are the failure of the SSL connection, the successful
connection is just fine.
I didn't realise it retried.
Thanks
--
Oliver Elphick olly@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
Do you want to know God? http://www.lfix.co.uk/knowing_god.html
