Re: [GENERAL] db_user_namespace, md5 and changing passwords

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Fernando Moreno <azazel(dot)7(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
Subject: Re: [GENERAL] db_user_namespace, md5 and changing passwords
Date: 2008-11-18 12:28:42
Message-ID: 4922B4FA.5040204@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

Bruce Momjian wrote:
> Magnus Hagander wrote:
>> Tom Lane wrote:
>>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>>> I am unsure of exactly where this thing hacks into the authentication
>>>> stream, but is it really only MD5 that fails?
>>> The problem with md5 is that the username is part of the encryption salt
>>> for the stored password, so changing it breaks that --- the client will
>>> hash the password with what it thinks the username is, but the stored
>>> password in pg_authid is hashed with what the server thinks the username
>>> is.
>>>
>>> You might be right that some other auth methods have an issue too,
>>> but md5 is the only one anyone's ever reported a problem with. That
>>> might or might not just represent lack of testing.
>> Right.
>>
>> But say GSSAPI for example. It will get the username from an external
>> source, and compare this to whatever the user specified. If we rewrite
>> what the user specified, we loose.
>>
>> But maybe you can work around that by using pg_ident.conf, so *both* the
>> identities gets rewritten.
>>
>> Not sure I care enough to dive into what it would actually mean. My
>> guess is that it's very uncommon to use db_user_namespace in any of
>> these scenarios (in fact I think it's very uncommon to use it at all,
>> but even more uncommon in these cases)
>
> The documentation changes highlight that we are going to validate for
> most external authentications using the server username, so the external
> authentication has to be set up to use that server username. Were the
> docs not clear on that? Do I need a mention of db_user_namespace in the
> authentication docs?

AFAICS, the changes only say MD5 doesn't work. I think it should be made
more clear.

And yes, it probably makes sense to put it around the authentication
docs as well as a warning to people - that's where they'll go looking if
something doesn't work.

//Magnus

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Sam Mason 2008-11-18 12:36:42 Re: Using database to find file doublettes in my computer
Previous Message Albe Laurenz 2008-11-18 12:24:59 Re: strange commit behavior

Browse pgsql-hackers by date

  From Date Subject
Next Message KaiGai Kohei 2008-11-18 12:40:55 Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)
Previous Message Emanuel CALVO FRANCO 2008-11-18 12:02:17 Re: [DOCS] FAQ_Solaris 1.28 to spanish