Issue a proper error message when MD5 is attempted when

db_user_namespace is enabled. Also document this limitation.
2025-05-29 00:03:09 -04:00 · 2008-11-20 20:45:30 +00:00 · 2008-11-20 20:45:30 +00:00 · 170b66a0c5
commit 170b66a0c5
parent 176961c1f1
4 changed files with 30 additions and 4 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/20 20:45:29 momjian Exp $ -->
 <chapter id="client-authentication">
 <title>Client Authentication</title>
@ -712,6 +712,8 @@ omicron       bryanh            guest1
    If you are at all concerned about password
    <quote>sniffing</> attacks then <literal>md5</> is preferred.
    Plain <literal>password</> should always be avoided if possible.
    <literal>md5</> cannot be used with <xref
    linkend="guc-db-user-namespace">.
   </para>
   <para>
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->
 <chapter Id="runtime-config">
  <title>Server Configuration</title>
@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
        before the user name is looked up by the server.
       </para>
       <para>
        <varname>db_user_namespace</> causes the client's and
        server's user name representation to differ.
        Authentication checks are always done with the server's user name
        so authentication methods must be configured for the
        server's user name, not the client's.  Because
        <literal>md5</> uses the user name as salt on both the
        client and server, <literal>md5</> cannot be used with
        <varname>db_user_namespace</>.
       </para>
       <note>
        <para>
         This feature is intended as a temporary measure until a
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
 			break;
 		case uaMD5:
 			if (Db_user_namespace)
 				ereport(FATAL,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 						 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
 			sendAuthRequest(port, AUTH_REQ_MD5);
 			status = recv_and_check_password_packet(port);
 			break;
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@ -10,7 +10,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 	else if (strcmp(token, "reject") == 0)
 		parsedline->auth_method = uaReject;
 	else if (strcmp(token, "md5") == 0)
 	{
 		if (Db_user_namespace)
 		{
 			ereport(LOG,
 					(errcode(ERRCODE_CONFIG_FILE_ERROR),
 					 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
 			return false;
 		}
 		parsedline->auth_method = uaMD5;
 	}
 	else if (strcmp(token, "pam") == 0)
 #ifdef USE_PAM
 		parsedline->auth_method = uaPAM;