Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Greenplum
Gpdb
提交
bcb0ccf5
G
Gpdb
项目概览
Greenplum
/
Gpdb
通知
7
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
Gpdb
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
bcb0ccf5
编写于
8月 16, 2001
作者:
B
Bruce Momjian
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add new MD5 pg_hba.conf keyword. Prevent fallback to crypt.
上级
f7eedfdf
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
44 addition
and
34 deletion
+44
-34
doc/src/sgml/client-auth.sgml
doc/src/sgml/client-auth.sgml
+23
-12
doc/src/sgml/jdbc.sgml
doc/src/sgml/jdbc.sgml
+2
-2
src/backend/libpq/auth.c
src/backend/libpq/auth.c
+6
-9
src/backend/libpq/hba.c
src/backend/libpq/hba.c
+4
-3
src/backend/libpq/pg_hba.conf.sample
src/backend/libpq/pg_hba.conf.sample
+7
-5
src/include/libpq/hba.h
src/include/libpq/hba.h
+2
-3
未找到文件。
doc/src/sgml/client-auth.sgml
浏览文件 @
bcb0ccf5
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.1
6 2001/08/15 18:42:14
momjian Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.1
7 2001/08/16 16:24:15
momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
...
...
@@ -194,25 +194,36 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para>
The password is sent over the wire in clear text. For better
protection, use the <literal>crypt</literal> method.
protection, use the <literal>md5</literal> or
<literal>crypt</literal> methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
crypt
</>
<term>
md5
</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
is sent over the wire encrypted using a simple
challenge-response protocol. This protects against incidental
wire-sniffing. The name of a file may follow the
<literal>
crypt
</literal> keyword. It contains a list of users
<literal>
md5
</literal> keyword. It contains a list of users
for this record.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>crypt</>
<listitem>
<para>
Like the <literal>md5</literal> method but uses older crypt
authentication for pre-7.2 clients.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb4</>
<listitem>
...
...
@@ -328,7 +339,7 @@ host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:
host template1 192.168.12.10 255.255.255.255
crypt
host template1 192.168.12.10 255.255.255.255
md5
# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
...
...
@@ -377,11 +388,11 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
To restrict the set of users that are allowed to connect to
certain databases, list the set of users in a separate file (on
e
user name per line) in the same directory that
<filename>pg_hba.conf</> is in, and mention the (base) name of
the
file after the <literal>password</>
or <literal>crypt</> keyword,
To restrict the set of users that are allowed to connect to
certain
databases, list the set of users in a separate file (one user nam
e
per line) in the same directory that <filename>pg_hba.conf</> is in,
and mention the (base) name of the file after
the
<literal>password</>, <literal>md5</>,
or <literal>crypt</> keyword,
respectively, in <filename>pg_hba.conf</>. If you do not use this
feature, then any user that is known to the database system can
connect to any database (so long as he passes password
...
...
@@ -414,8 +425,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
</para>
<para>
Alternative passwords cannot be used when using the
<literal>crypt</> method
. The file will still be evaluated as
Alternative passwords cannot be used when using the
<literal>md5</>
or <literal>crypt</> methods
. The file will still be evaluated as
usual but the password field will simply be ignored and the
<literal>pg_shadow</> password will be used.
</para>
...
...
doc/src/sgml/jdbc.sgml
浏览文件 @
bcb0ccf5
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.2
0 2001/03/11 11:06:59 petere
Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.2
1 2001/08/16 16:24:15 momjian
Exp $
-->
<chapter id="jdbc">
...
...
@@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
<filename>pg_hba.conf</filename> file may need to be configured.
Refer to the <citetitle>Administrator's Guide</citetitle> for
details. The <acronym>JDBC</acronym> Driver supports trust,
ident, password, and crypt authentication methods.
ident, password, and
md5,
crypt authentication methods.
</para>
</sect2>
</sect1>
...
...
src/backend/libpq/auth.c
浏览文件 @
bcb0ccf5
...
...
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.5
8 2001/08/16 04:27:18
momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.5
9 2001/08/16 16:24:15
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
status
=
recv_and_check_password_packet
(
port
);
break
;
case
uaMD5
:
sendAuthRequest
(
port
,
AUTH_REQ_MD5
);
if
((
status
=
recv_and_check_password_packet
(
port
))
==
STATUS_OK
)
break
;
port
->
auth_method
=
uaCrypt
;
/* Try crypt() for old client */
/* FALL THROUGH */
case
uaCrypt
:
sendAuthRequest
(
port
,
AUTH_REQ_CRYPT
);
status
=
recv_and_check_password_packet
(
port
);
break
;
case
uaMD5
:
sendAuthRequest
(
port
,
AUTH_REQ_MD5
);
status
=
recv_and_check_password_packet
(
port
);
break
;
case
uaTrust
:
status
=
STATUS_OK
;
break
;
...
...
src/backend/libpq/hba.c
浏览文件 @
bcb0ccf5
...
...
@@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.6
3 2001/08/16 04:27:18
momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.6
4 2001/08/16 16:24:15
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
*
userauth_p
=
uaKrb5
;
else
if
(
strcmp
(
token
,
"reject"
)
==
0
)
*
userauth_p
=
uaReject
;
else
if
(
strcmp
(
token
,
"crypt"
)
==
0
)
/* Try MD5 first; on failure, switch to crypt() */
else
if
(
strcmp
(
token
,
"md5"
)
==
0
)
*
userauth_p
=
uaMD5
;
else
if
(
strcmp
(
token
,
"crypt"
)
==
0
)
*
userauth_p
=
uaCrypt
;
else
*
error_p
=
true
;
line
=
lnext
(
line
);
...
...
src/backend/libpq/pg_hba.conf.sample
浏览文件 @
bcb0ccf5
...
...
@@ -115,13 +115,15 @@
# utility. Remember, these passwords override pg_shadow
# passwords.
#
#
crypt
: Same as "password", but authentication is done by
#
md5
: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is
# always preferable to "password" except for old clients
# that don't support "crypt". Also, crypt can use
# usernames stored in secondary password files but not
# secondary passwords.
# that don't support it. Also, md5 can use usernames stored
# in secondary password files but not secondary passwords.
#
# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
# not store encrypted passwords if you use this option.
#
# ident: For TCP/IP connections, authentication is done by contacting
# the ident server on the client host. (CAUTION: this is only
# as secure as the client machine!) On machines that support
...
...
@@ -173,7 +175,7 @@
# if the user's password in pg_shadow is correctly supplied:
#
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
# host template1 192.168.12.10 255.255.255.255
crypt
# host template1 192.168.12.10 255.255.255.255
md5
#
# In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched
...
...
src/include/libpq/hba.h
浏览文件 @
bcb0ccf5
...
...
@@ -4,7 +4,7 @@
* Interface to hba.c
*
*
* $Id: hba.h,v 1.2
3 2001/08/15 18:42:15
momjian Exp $
* $Id: hba.h,v 1.2
4 2001/08/16 16:24:16
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -36,8 +36,7 @@ typedef enum UserAuth
uaIdent
,
uaPassword
,
uaCrypt
,
uaMD5
/* This starts as uaCrypt from pg_hba.conf, but gets
overridden if the client supports MD5 */
uaMD5
}
UserAuth
;
typedef
struct
Port
hbaPort
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录