Bruce Momjian wrote:
> Alvaro Herrera wrote:
> > Tom Lane escribi?:
> > > Bruce Momjian <bruce@xxxxxxxxxx> writes:
> > > > I don't know of a way to make MD5 and db_user_namespace work cleanly so
> > > > we are considering removing db_user_namespace in 8.4.
> > >
> > > We are? It's no more or less ugly than the day it was put in (the
> > > MD5 encryption option was already there).
> > >
> > > If we had some improved replacement to offer, I'd be all for getting
> > > rid of db_user_namespace; but without that I think we're just taking
> > > away a feature that some people are using. At least, the argument
> > > was made back in 2002 that people would use this if they had it;
> > > do we have evidence to the contrary now?
> >
> > I also disagree with removing it. I know some people (few and far
> > apart) are using it.
>
> Well, I posted about this in August with no one replying:
>
> http://archives.postgresql.org/pgsql-admin/2008-08/msg00068.php
>
> Basically, there is a mismatch between what libpq and the backend think
> is the username, and that affects how MD5 uses the salt on the two sides
> of the connection. The minimal solution would be to document this and
> print a proper error message.
I have developed the attached patch, which documents the inability to
use MD5 with db_user_namespace, and throws an error when it is used:
psql: FATAL: MD5 authentication is not supported when "db_user_namespace" is enabled
--
Bruce Momjian <bruce@xxxxxxxxxx> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.194
diff -c -c -r1.194 config.sgml
*** doc/src/sgml/config.sgml 9 Nov 2008 00:28:34 -0000 1.194
--- doc/src/sgml/config.sgml 11 Nov 2008 02:27:39 -0000
***************
*** 706,711 ****
--- 706,720 ----
before the user name is looked up by the server.
</para>
+ <para>
+ Keep in mind all authentication checks are done with
+ the server's representation of the user name, not the client's.
+ Because of this, <literal>MD5</> authentication will not work
+ when <literal>db_user_namespace</> is enabled because the
+ client and server have different representations of the user
+ name.
+ </para>
+
<note>
<para>
This feature is intended as a temporary measure until a
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.170
diff -c -c -r1.170 auth.c
*** src/backend/libpq/auth.c 28 Oct 2008 12:10:43 -0000 1.170
--- src/backend/libpq/auth.c 11 Nov 2008 02:27:42 -0000
***************
*** 368,373 ****
--- 368,377 ----
break;
case uaMD5:
+ if (Db_user_namespace)
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
