Skip to content

Commit 38bb1ab

Browse files
bmomjianbmomjian
committed
Use MD5 for wire protocol encryption for >= 7.2 client/server.
Allow pg_shadow to be MD5 encrypted. Add ENCRYPTED/UNENCRYPTED option to CREATE/ALTER user. Add password_encryption postgresql.conf option. Update wire protocol version to 2.1.
1 parent 397f65d commit 38bb1ab

27 files changed

+357
-192
lines changed

doc/src/sgml/client-auth.sgml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.15 2001/08/01 23:25:39 tgl Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -205,11 +205,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
205205
<para>
206206
Like the <literal>password</literal> method, but the password
207207
is sent over the wire encrypted using a simple
208-
challenge-response protocol. This is still not
209-
cryptographically secure but it protects against incidental
208+
challenge-response protocol. This protects against incidental
210209
wire-sniffing. The name of a file may follow the
211-
<literal>crypt</literal> keyword that contains a list of users
212-
that this record pertains to.
210+
<literal>crypt</literal> keyword. It contains a list of users
211+
for this record.
213212
</para>
214213
</listitem>
215214
</varlistentry>

doc/src/sgml/protocol.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/protocol.sgml,v 1.18 2001/06/22 23:27:48 petere Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/protocol.sgml,v 1.19 2001/08/15 18:42:14 momjian Exp $ -->
22

33
<chapter id="protocol">
44
<title>Frontend/Backend Protocol</title>
@@ -1295,7 +1295,7 @@ EncryptedPasswordPacket (F)
12951295
</Term>
12961296
<ListItem>
12971297
<Para>
1298-
The encrypted (using crypt()) password.
1298+
The encrypted (using MD5 or crypt()) password.
12991299
</Para>
13001300
</ListItem>
13011301
</VarListEntry>

doc/src/sgml/ref/alter_user.sgml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.14 2001/07/10 22:09:27 tgl Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/ref/alter_user.sgml,v 1.15 2001/08/15 18:42:14 momjian Exp $
33
Postgres documentation
44
-->
55

@@ -27,7 +27,7 @@ ALTER USER <replaceable class="PARAMETER">username</replaceable> [ [ WITH ] <rep
2727

2828
where <replaceable class="PARAMETER">option</replaceable> can be:
2929

30-
PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
30+
[ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
3131
| CREATEDB | NOCREATEDB
3232
| CREATEUSER | NOCREATEUSER
3333
| VALID UNTIL '<replaceable class="PARAMETER">abstime</replaceable>'
@@ -53,10 +53,13 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
5353
</varlistentry>
5454

5555
<varlistentry>
56-
<term><replaceable class="PARAMETER">password</replaceable></term>
56+
<term><replaceable class="PARAMETER">[ encrypted | unencrypted ] password</replaceable></term>
5757
<listitem>
5858
<para>
5959
The new password to be used for this account.
60+
<literal>Encrypted</literal>/ <literal>unencrypted</literal>
61+
controls whether the password is stored encrypted in the
62+
database.
6063
</para>
6164
</listitem>
6265
</varlistentry>

doc/src/sgml/ref/create_user.sgml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_user.sgml,v 1.17 2001/07/10 22:09:27 tgl Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_user.sgml,v 1.18 2001/08/15 18:42:14 momjian Exp $
33
Postgres documentation
44
-->
55

@@ -28,7 +28,7 @@ CREATE USER <replaceable class="PARAMETER">username</replaceable> [ [ WITH ] <re
2828
where <replaceable class="PARAMETER">option</replaceable> can be:
2929

3030
SYSID <replaceable class="PARAMETER">uid</replaceable>
31-
| PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
31+
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
3232
| CREATEDB | NOCREATEDB
3333
| CREATEUSER | NOCREATEUSER
3434
| IN GROUP <replaceable class="PARAMETER">groupname</replaceable> [, ...]
@@ -72,12 +72,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
7272
</varlistentry>
7373

7474
<varlistentry>
75-
<term><replaceable class="parameter">password</replaceable></term>
75+
<term><replaceable class="parameter">[ encrypted | unencrypted ] password</replaceable></term>
7676
<listitem>
7777
<para>
7878
Sets the user's password. If you do not plan to use password
7979
authentication you can omit this option, otherwise the user
8080
won't be able to connect to a password-authenticated server.
81+
</para>
82+
<para>
83+
<literal>ENCRYPTED/UNENCRYPTED</literal> controls whether the
84+
password is stored encrypted in the database. Older clients may
85+
have trouble communicating using encrypted password storage.
86+
</para>
87+
<para>
8188
See the chapter on client authentication in the
8289
<citetitle>Administrator's Guide</citetitle> for details on
8390
how to set up authentication mechanisms.

doc/src/sgml/runtime.sgml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.74 2001/08/09 16:20:43 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.75 2001/08/15 18:42:14 momjian Exp $
33
-->
44

55
<Chapter Id="runtime">
@@ -967,6 +967,18 @@ env PGOPTIONS='-c geqo=off' psql
967967

968968
<para>
969969
<variablelist>
970+
<varlistentry>
971+
<term>AUSTRALIAN_TIMEZONES (<type>bool</type>)</term>
972+
<listitem>
973+
<para>
974+
If set to true, <literal>CST</literal>, <literal>EST</literal>,
975+
and <literal>SAT</literal> are interpreted as Australian
976+
timezones rather than as North American Central/Eastern
977+
Timezones and Saturday. The default is false.
978+
</para>
979+
</listitem>
980+
</varlistentry>
981+
970982
<varlistentry>
971983
<indexterm>
972984
<primary>deadlock</primary>
@@ -1260,18 +1272,6 @@ dynamic_library_path = '/usr/local/lib:/home/my_project/lib:$libdir:$libdir/cont
12601272
</listitem>
12611273
</varlistentry>
12621274

1263-
<varlistentry>
1264-
<term>AUSTRALIAN_TIMEZONES (<type>bool</type>)</term>
1265-
<listitem>
1266-
<para>
1267-
If set to true, <literal>CST</literal>, <literal>EST</literal>,
1268-
and <literal>SAT</literal> are interpreted as Australian
1269-
timezones rather than as North American Central/Eastern
1270-
Timezones and Saturday. The default is false.
1271-
</para>
1272-
</listitem>
1273-
</varlistentry>
1274-
12751275
<varlistentry>
12761276
<indexterm>
12771277
<primary>SSL</primary>

0 commit comments

Comments
 (0)