Magnus Hagander wrote:
> >> Not sure I care enough to dive into what it would actually mean. My
> >> guess is that it's very uncommon to use db_user_namespace in any of
> >> these scenarios (in fact I think it's very uncommon to use it at all,
> >> but even more uncommon in these cases)
> >
> > The documentation changes highlight that we are going to validate for
> > most external authentications using the server username, so the external
> > authentication has to be set up to use that server username. Were the
> > docs not clear on that? Do I need a mention of db_user_namespace in the
> > authentication docs?
>
> AFAICS, the changes only say MD5 doesn't work. I think it should be made
> more clear.
>
> And yes, it probably makes sense to put it around the authentication
> docs as well as a warning to people - that's where they'll go looking if
> something doesn't work.
OK, documentation updated stating that all authentication has to user
the server username, and added a mention in the client-auth docs too.
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.111
diff -c -c -r1.111 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 18 Nov 2008 13:10:20 -0000 1.111
--- doc/src/sgml/client-auth.sgml 20 Nov 2008 03:56:43 -0000
***************
*** 702,707 ****
--- 702,709 ----
If you are at all concerned about password
<quote>sniffing</> attacks then <literal>md5</> is preferred.
Plain <literal>password</> should always be avoided if possible.
+ <literal>md5</> cannot be used with <xref
+ linkend="guc-db-user-namespace">.
</para>
<para>
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.195
diff -c -c -r1.195 config.sgml
*** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195
--- doc/src/sgml/config.sgml 20 Nov 2008 03:56:44 -0000
***************
*** 706,711 ****
--- 706,722 ----
before the user name is looked up by the server.
</para>
+ <para>
+ <varname>db_user_namespace</> causes the client's and
+ server's user name representation to differ.
+ Authentication checks are always done with the server's user name
+ so authentication methods must be configured for the
+ server's user name, not the client's. Because
+ <literal>md5</> uses the user name as salt on both the
+ client and server, <literal>md5</> cannot be used with
+ <varname>db_user_namespace</>.
+ </para>
+
<note>
<para>
This feature is intended as a temporary measure until a
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.171
diff -c -c -r1.171 auth.c
*** src/backend/libpq/auth.c 18 Nov 2008 13:10:20 -0000 1.171
--- src/backend/libpq/auth.c 20 Nov 2008 03:56:44 -0000
***************
*** 371,376 ****
--- 371,380 ----
break;
case uaMD5:
+ if (Db_user_namespace)
+ ereport(FATAL,
+
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("MD5 authentication is
not supported when \"db_user_namespace\" is enabled")));
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
Index: src/backend/libpq/hba.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v
retrieving revision 1.172
diff -c -c -r1.172 hba.c
*** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172
--- src/backend/libpq/hba.c 20 Nov 2008 03:56:47 -0000
***************
*** 846,852 ****
--- 846,861 ----
else if (strcmp(token, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token, "md5") == 0)
+ {
+ if (Db_user_namespace)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("MD5 authentication is not
supported when \"db_user_namespace\" is enabled")));
+ return false;
+ }
parsedline->auth_method = uaMD5;
+ }
else if (strcmp(token, "pam") == 0)
#ifdef USE_PAM
parsedline->auth_method = uaPAM;
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
