Participants
Tom Lane
Tom Lane
Bruce Momjian
Bruce Momjian
Emmanuel Dreyfus
Emmanuel Dreyfus
Attachments
Show all attachments
Thread Outline
#1Emmanuel DreyfusEmmanuel Dreyfus
Feb 26, 2003
#2Tom LaneTom Laneto Emmanuel Dreyfus (#1)
Mar 04, 2003
#3Tom LaneTom Laneto Tom Lane (#2)
Mar 04, 2003
#4Bruce MomjianBruce Momjianto Tom Lane (#3)
Mar 07, 2003
#5Tom LaneTom Laneto Bruce Momjian (#4)
Mar 07, 2003
#6Bruce MomjianBruce Momjianto Tom Lane (#5)
Mar 07, 2003
#7Bruce MomjianBruce Momjianto Bruce Momjian (#6)
Mar 07, 2003

password method in pg_hba.conf fails

Started by Emmanuel Dreyfusabout 23 years ago7 messagesgeneral
Jump to latest
#1Emmanuel Dreyfus
Emmanuel Dreyfus
manu@netbsd.org

Hello everybody

I just upgraded from 7.2.2 to 7.3.2, and I this upgrade broke the way I
handled authentication.

I had an external password file ~pgsql/data/pg_passwd with lines like this:
guest:OgP29.PYhgA

~pg_hba.conf/data/ contains entries like this (I had to add one field when
upgrading to 7.3.2, the beast complaining about it)
local all guest trust
local template1 all password pg_passwd
local dirdb all password pg_passwd

Then I try to login. I get this:
$ psql -U pgsql dirdb
Password:
psql: FATAL: Password authentication failed for user "pgsql"

ktrace'ing the postgres process (I'm running on NetBSD) shows that it never
try to open ~pgsql/data/pg_passwd.

What turned wrong?

--
Emmanuel Dreyfus
manu@netbsd.org

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Emmanuel Dreyfus (#1)
Re: password method in pg_hba.conf fails

Emmanuel Dreyfus <manu@netbsd.org> writes:

I had an external password file ~pgsql/data/pg_passwd with lines like this:
guest:OgP29.PYhgA

We do not support external password files anymore. Sorry.

regards, tom lane

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Tom Lane (#2)
Re: password method in pg_hba.conf fails

manu@netbsd.org (Emmanuel Dreyfus) writes:

We do not support external password files anymore. Sorry.

What is the benefit of throwing away this feature?

I don't recall the reasoning. You can dig through the pghackers mailing
list archives if you want to see the discussion.

regards, tom lane

Import Notes
Reply to msg id not found: 1frbm40.9vwnbe1wzpjlM%manu@netbsd.orgReference msg id not found: 1frbm40.9vwnbe1wzpjlM%manu@netbsd.org | Resolved by subject fallback
#4Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Tom Lane (#3)
Re: password method in pg_hba.conf fails

Tom Lane wrote:

manu@netbsd.org (Emmanuel Dreyfus) writes:

We do not support external password files anymore. Sorry.

What is the benefit of throwing away this feature?

I don't recall the reasoning. You can dig through the pghackers mailing
list archives if you want to see the discussion.

The issue is that no one was using it, or at least we thought so, and it
could only use crypt, while MD5 is better because it allows random salt
to be added to the over-the-wire password transfer.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
#5Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Bruce Momjian (#4)
Re: password method in pg_hba.conf fails

manu@netbsd.org (Emmanuel Dreyfus) writes:

I now need to store the
PostgreSQL superuser password in cleartext in a shell script.

The new ~/.pgpass mechanism should help with that.

I'm ready to work on patches to re-introduce the feature, would you
accept them?

No. We are trying to get away from using crypt(), mainly because it's
not very portable (and not even very secure these days). And the
secondary-password-file mechanism was never anything more than a kluge
anyway. If you want your database users to be actual Unix system users,
why not just check them directly against /etc/passwd?

I thought about implementing a PAM for this, since 7.3 supports
PAM. What do you think about it?

The whole point of PAM is to allow installation-local authentication
methods, so you could easily set up something that checks a password
against /etc/passwd if you like. (There is surely such a PAM module
out there already, I'd expect, so look before you write.)

If your OS supports it, you might also want to consider using
Unix-socket-IDENT authentication, and forget passwords altogether.

regards, tom lane

Import Notes
Reply to msg id not found: 1frfzae.fqz9t84797skM%manu@netbsd.orgReference msg id not found: 1frfzae.fqz9t84797skM%manu@netbsd.org | Resolved by subject fallback
#6Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Tom Lane (#5)
Re: password method in pg_hba.conf fails

Tom Lane wrote:

I thought about implementing a PAM for this, since 7.3 supports
PAM. What do you think about it?

The whole point of PAM is to allow installation-local authentication
methods, so you could easily set up something that checks a password
against /etc/passwd if you like. (There is surely such a PAM module
out there already, I'd expect, so look before you write.)

If your OS supports it, you might also want to consider using
Unix-socket-IDENT authentication, and forget passwords altogether.

Right. If you are using unix socket, they have already logged in, and
'local ident' allow you to know for sure who is on the other end of the
socket.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
#7Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Bruce Momjian (#6)
Re: password method in pg_hba.conf fails

Emmanuel Dreyfus wrote:

If your OS supports it, you might also want to consider using
Unix-socket-IDENT authentication, and forget passwords altogether.

Most of the story is going on through httpd, so this won't help, the
user is www, whatever the real user is.

However, last time I checked, UNIX socket ident was not available on
NetBSD. I'll really have to add support for this some day.

It has been available for NetBSD since 7.2. OpenBSD is only added in 7.4.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Import Notes
Reply to msg id not found: 1frgy0t.1pk48i8i9xgc9M%manu@netbsd.org | Resolved by subject fallback
← Back to Topics