Re: [GENERAL] db_user_namespace, md5 and changing passwords

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Fernando Moreno <azazel(dot)7(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
Subject: Re: [GENERAL] db_user_namespace, md5 and changing passwords
Date: 2008-11-18 03:22:29
Message-ID: 200811180322.mAI3MT805620@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

Magnus Hagander wrote:
> Tom Lane wrote:
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >> I am unsure of exactly where this thing hacks into the authentication
> >> stream, but is it really only MD5 that fails?
> >
> > The problem with md5 is that the username is part of the encryption salt
> > for the stored password, so changing it breaks that --- the client will
> > hash the password with what it thinks the username is, but the stored
> > password in pg_authid is hashed with what the server thinks the username
> > is.
> >
> > You might be right that some other auth methods have an issue too,
> > but md5 is the only one anyone's ever reported a problem with. That
> > might or might not just represent lack of testing.
>
> Right.
>
> But say GSSAPI for example. It will get the username from an external
> source, and compare this to whatever the user specified. If we rewrite
> what the user specified, we loose.
>
> But maybe you can work around that by using pg_ident.conf, so *both* the
> identities gets rewritten.
>
> Not sure I care enough to dive into what it would actually mean. My
> guess is that it's very uncommon to use db_user_namespace in any of
> these scenarios (in fact I think it's very uncommon to use it at all,
> but even more uncommon in these cases)

The documentation changes highlight that we are going to validate for
most external authentications using the server username, so the external
authentication has to be set up to use that server username. Were the
docs not clear on that? Do I need a mention of db_user_namespace in the
authentication docs?

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Eus 2008-11-18 03:48:10 Re: Using database to find file doublettes in my computer
Previous Message Scott Marlowe 2008-11-18 03:03:05 Re: In memory Database for postgres

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2008-11-18 03:51:39 Re: Re: [BUGS] libpq does not manage SSL callbacks properly when other libraries are involved.
Previous Message ITAGAKI Takahiro 2008-11-18 03:14:36 Re: auto_explain contrib moudle