Re: pg_shadow.passwd versus pg_hba.conf password passwd

Richard Lynch writes:

> If I'm reading "man pg_passwd" correctly, I can create a standard
> Un*x passwd file and use that with "password" in pg_hba.conf

Correct.

> However, the current installation seems to be using "crypt", with no
> passwd file, and with unencrypted passwords in the pg_shadow.passwd
> field

I don't know what your current installation is, but that is definitely a
possible scenario.

> -- Or, at least, as far as I can tell, since /etc/.meta.id has
> the same text as the admin's pg_shadow.passwd field.

The file /etc/.meta.id is not used by PostgreSQL as distributed.

> So, my question is, what is the "passwd" field in pg_shadow for?...

If you don't use the extra argument after "password" in pg_hba.conf then
that's where the password comes from.

> Is that where an unencrypted password would be stored if I used
> "password" rather than "crypt"?...

"password" vs "crypt" is only related to what goes over the wire, not
where the password comes from.

> That seems the exact opposite of the reality on this box. Or can I
> get pg_hba.conf to just use that field somehow with "crypt"?

Crypt with password file is not possible, I'm afraid.

> If I *cannot* use pg_shadow.passwd for the encrypted password,

You can. You *are*, AFAICT.

> and I use standard Un*x passwd file, does create_user know enough with
> -P to fill that in properly, or am I on my own?...
>
> How is Cobalt getting this to work with "localhost all crypt" in
> pg_hba.conf, but the password does not seem to be encrypted:
> /etc/.meta.id is plaintext of pg_shadow.passwd, and there is no
> obvious passwd file, so where's the crypt?

On the wire.

--
Peter Eisentraut peter_e(at)gmx(dot)net http://yi.org/peter-e/