Issue a proper error message when MD5 is attempted when

db_user_namespace is enabled.

Also document this limitation.

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f10a93953e1d63511fe26c5ab38b161972efd8d9..4a8aea4d3a9e29956e4b7ad19b4a20bbfee356c0 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-
+
 
 
  Client Authentication
@@ -712,6 +712,8 @@ omicron       bryanh            guest1
     If you are at all concerned about password
     sniffing attacks then md5 is preferred.
     Plain password should always be avoided if possible.
+    md5 cannot be used with 
+    linkend="guc-db-user-namespace">.
    
 
    


diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml

index 7931ea8737740d7bde4e74211b91b975d17730b0..dcb7c51b25ae6eb570f19cc0a8f1ce3c962a6984 100644 (file)

--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-
+
 
 
   Server Configuration
@@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
         before the user name is looked up by the server.
        
 
+       
+        db_user_namespace causes the client's and
+        server's user name representation to differ.
+        Authentication checks are always done with the server's user name
+        so authentication methods must be configured for the
+        server's user name, not the client's.  Because
+        md5 uses the user name as salt on both the
+        client and server, md5 cannot be used with
+        db_user_namespace.
+       
+
        
         
          This feature is intended as a temporary measure until a


diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c

index 1d89e096820f1c96d9ee9798ee7e2293c939bed9..9545ded268b9f73ef3456d1ffe4bab3e908cc80f 100644 (file)

--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
            break;
 
        case uaMD5:
+           if (Db_user_namespace)
+               ereport(FATAL,
+                       (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                        errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
            sendAuthRequest(port, AUTH_REQ_MD5);
            status = recv_and_check_password_packet(port);
            break;


diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c

index 2464c5f6f94c1126a6258bfe931beafe0294267d..a70d53a0e2d6d6884b50c1df24dc6969e9da95ec 100644 (file)

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
    else if (strcmp(token, "reject") == 0)
        parsedline->auth_method = uaReject;
    else if (strcmp(token, "md5") == 0)
+   {
+       if (Db_user_namespace)
+       {
+           ereport(LOG,
+                   (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                    errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+           return false;
+       }
        parsedline->auth_method = uaMD5;
+   }
    else if (strcmp(token, "pam") == 0)
 #ifdef USE_PAM
        parsedline->auth_method = uaPAM;

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7931ea8737740d7bde4e74211b91b975d17730b0..dcb7c51b25ae6eb570f19cc0a8f1ce3c962a6984 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-
+
 
 
   Server Configuration
@@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
         before the user name is looked up by the server.
        
 
+       
+        db_user_namespace causes the client's and
+        server's user name representation to differ.
+        Authentication checks are always done with the server's user name
+        so authentication methods must be configured for the
+        server's user name, not the client's.  Because
+        md5 uses the user name as salt on both the
+        client and server, md5 cannot be used with
+        db_user_namespace.
+       
+
        
         
          This feature is intended as a temporary measure until a

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 1d89e096820f1c96d9ee9798ee7e2293c939bed9..9545ded268b9f73ef3456d1ffe4bab3e908cc80f 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
            break;
 
        case uaMD5:
+           if (Db_user_namespace)
+               ereport(FATAL,
+                       (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                        errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
            sendAuthRequest(port, AUTH_REQ_MD5);
            status = recv_and_check_password_packet(port);
            break;

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 2464c5f6f94c1126a6258bfe931beafe0294267d..a70d53a0e2d6d6884b50c1df24dc6969e9da95ec 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
    else if (strcmp(token, "reject") == 0)
        parsedline->auth_method = uaReject;
    else if (strcmp(token, "md5") == 0)
+   {
+       if (Db_user_namespace)
+       {
+           ereport(LOG,
+                   (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                    errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+           return false;
+       }
        parsedline->auth_method = uaMD5;
+   }
    else if (strcmp(token, "pam") == 0)
 #ifdef USE_PAM
        parsedline->auth_method = uaPAM;