Issue a proper error message when MD5 is attempted when

bmomjian · bmomjian · commit 170b66a0c5ed · 2008-11-20T20:45:30.000Z
db_user_namespace is enabled.

Also document this limitation.
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.113 2008/11/20 20:45:29 momjian Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -712,6 +712,8 @@ omicron       bryanh            guest1
     If you are at all concerned about password
     <quote>sniffing</> attacks then <literal>md5</> is preferred.
     Plain <literal>password</> should always be avoided if possible.
+    <literal>md5</> cannot be used with <xref
+    linkend="guc-db-user-namespace">.
    </para>
 
    <para>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.195 2008/11/11 02:42:31 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.196 2008/11/20 20:45:29 momjian Exp $ -->
 
 <chapter Id="runtime-config">
   <title>Server Configuration</title>
@@ -706,6 +706,17 @@ SET ENABLE_SEQSCAN TO OFF;
         before the user name is looked up by the server.
        </para>
 
+       <para>
+        <varname>db_user_namespace</> causes the client's and
+        server's user name representation to differ.
+        Authentication checks are always done with the server's user name
+        so authentication methods must be configured for the
+        server's user name, not the client's.  Because
+        <literal>md5</> uses the user name as salt on both the
+        client and server, <literal>md5</> cannot be used with
+        <varname>db_user_namespace</>.
+       </para>
+
        <note>
         <para>
          This feature is intended as a temporary measure until a
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)
 			break;
 
 		case uaMD5:
+			if (Db_user_namespace)
+				ereport(FATAL,
+						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+						 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
 			sendAuthRequest(port, AUTH_REQ_MD5);
 			status = recv_and_check_password_packet(port);
 			break;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.174 2008/11/20 11:48:26 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.175 2008/11/20 20:45:30 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -846,7 +846,16 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 	else if (strcmp(token, "reject") == 0)
 		parsedline->auth_method = uaReject;
 	else if (strcmp(token, "md5") == 0)
+	{
+		if (Db_user_namespace)
+		{
+			ereport(LOG,
+					(errcode(ERRCODE_CONFIG_FILE_ERROR),
+					 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+			return false;
+		}
 		parsedline->auth_method = uaMD5;
+	}
 	else if (strcmp(token, "pam") == 0)
 #ifdef USE_PAM
 		parsedline->auth_method = uaPAM;

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.173 2008/11/20 11:48:26 mha Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.174 2008/11/20 20:45:30 momjian Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -413,6 +413,10 @@ ClientAuthentication(Port *port)`
`413`	`413`	`break;`
`414`	`414`
`415`	`415`	`case uaMD5:`
	`416`	`+ if (Db_user_namespace)`
	`417`	`+ ereport(FATAL,`
	`418`	`+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
	`419`	`+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));`
`416`	`420`	`sendAuthRequest(port, AUTH_REQ_MD5);`
`417`	`421`	`status = recv_and_check_password_packet(port);`
`418`	`422`	`break;`