Re: crypt vs password in pg_hba.conf

From: "Robert C(dot) Paulsen Jr(dot)" <robert(at)paulsenonline(dot)net>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: crypt vs password in pg_hba.conf
Date: 2003-06-15 12:22:11
Message-ID: 20030615122211.GA26853@avalon.paulsen.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Sat, Jun 14, 2003 at 11:42:11PM +0100, Nigel J. Andrews wrote:
> On Sat, 14 Jun 2003, Robert C. Paulsen Jr. wrote:
>
> > I just compiled and installed version 7.3.3 and am having a problem with
> > encrypted logins.
> >
> > I built it using "--with-openssl" on the .configure command.
> >
> > All seemed to go OK during the build and install. I created a user with a
> > password and am able to connect with psql using the password if pg_hba.conf
+has
> > a line like this:
> >
> > host all all 192.168.0.0 255.255.255.0 password
> >
> > but if I change that line to this:
> >
> > host all all 192.168.0.0 255.255.255.0 crypt
>
> You need to tell postgresql that the password is to be encrypted when you set
> it.
>
> >
> > the connection fails with the message:
> >
> > psql: FATAL: Password authentication failed for user "robert"
>
> Because it is encrypting the password and comparing it against an unencrypted
> one.
>
> >
> > I am pretty sure I don't have the password wrong since I tried redoing it
> > several times using "ALTER USER".
>
> Check the syntax for the alter user statement, whereever it says you may use
> the word ENCRYPTED use it and you should then be able to use 'crypt' in the
> pg_hba.conf.
>

I'm using the Stones and Matthew book (Beginning Databases with
PostgreSQL) to learn and its description of the create and alter user
commands doesn't mention the "encrypted" option. So, based on your
comments I looked at the online documentation and found the following
interesting comment regarding md5:

This is the only method that allows encrypted passwords to be
stored in pg_shadow.

So, for crypt it seems the "encrypted" option of create and alter user
should *not* be used.

There is also a statement in the docs saying that passwords will be
encrypted in pg_shadow even *without* the "encrypted" option if the
"password_encryption" server parameter is "true". According to comments
in postgresql.conf this defaults to "false" in 7.2 and "true" in 7.3 --
that would explain my problem!

So, I switched to md5 and all is now working.

--
Robert C. Paulsen, Jr.
robert(at)paulsenonline(dot)net

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Tino Wildenhain 2003-06-15 14:48:56 Re: using sequences
Previous Message Mike Mascari 2003-06-15 11:49:39 Re: full featured alter table?