Subject: libpam-pgsql: Authentication against postgres users require
unencrypted passwords
Package: libpam-pgsql
Version: 0.7.1-2
Severity: normal
When you want to have fallback authentication schemes in postgresql, you need to
set up postgres to use pam, and then pam to use postgresql and others.
This can be accomplished with having pam rather than md5 in pg_hba.conf file.
Then you need to set up /etc/pam.d/postgres like
auth sufficient pam_pgsql.so
account sufficient pam_pgsql.so
And finally have /etc/pam_pgsql.conf like:
database = postgres
user = postgres
table = pg_catalog.pg_shadow
user_column = usename
pwd_column = passwd
;expired_column = acc_expired
;newtok_column = acc_new_pwreq
debug=1
The problem is that the hashed passwords of postgres uses an unsupported
algorithm, returning 'md5'||md5hash(password||login)
The only way I found to have pam support in postgres works is to add to
pam_pgsql.conf:
pw_type=clear
and in postgresql.conf
password_encryption = off
then restart postgres then reset my password.
Storing plaintext password is obviously Bad. IMHO, requiring that looks like a
major problem.
pam-pgsql should support postgres own hash algorithm.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-pgsql depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpq5 8.4.4-2 PostgreSQL C client library
libpam-pgsql recommends no packages.
libpam-pgsql suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
