From bcb0ccf5be9ef9e1a76968e773cb2bd11565ef9c Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Thu, 16 Aug 2001 16:24:16 +0000
Subject: [PATCH] Add new MD5 pg_hba.conf keyword.  Prevent fallback to crypt.

---
 doc/src/sgml/client-auth.sgml        | 43 +++++++++++++++++-----------
 doc/src/sgml/jdbc.sgml               |  4 +--
 src/backend/libpq/auth.c             | 15 ++++------
 src/backend/libpq/hba.c              |  7 +++--
 src/backend/libpq/pg_hba.conf.sample | 12 ++++----
 src/include/libpq/hba.h              |  5 ++--
 6 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a7c9c8616b..76cba40751 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.16 2001/08/15 18:42:14 momjian Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.17 2001/08/16 16:24:15 momjian Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -194,7 +194,22 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
 
          <para>
           The password is sent over the wire in clear text. For better
-          protection, use the <literal>crypt</literal> method.
+          protection, use the <literal>md5</literal> or 
+          <literal>crypt</literal> methods.
+         </para>
+        </listitem>
+       </varlistentry>
+
+       <varlistentry>
+        <term>md5</>
+        <listitem>
+         <para>
+          Like the <literal>password</literal> method, but the password
+          is sent over the wire encrypted using a simple
+          challenge-response protocol. This protects against incidental
+          wire-sniffing. The name of a file may follow the
+          <literal>md5</literal> keyword.  It contains a list of users
+          for this record.
          </para>
         </listitem>
        </varlistentry>
@@ -203,12 +218,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
         <term>crypt</>
         <listitem>
          <para>
-          Like the <literal>password</literal> method, but the password
-          is sent over the wire encrypted using a simple
-          challenge-response protocol. This protects against incidental
-          wire-sniffing. The name of a file may follow the
-          <literal>crypt</literal> keyword.  It contains a list of users
-          for this record.
+          Like the <literal>md5</literal> method but uses older crypt
+          authentication for pre-7.2 clients.
          </para>
         </listitem>
        </varlistentry>
@@ -328,7 +339,7 @@ host         template1   192.168.93.0  255.255.255.0      ident     sameuser
 # Allow a user from host 192.168.12.10 to connect to database "template1"
 # if the user's password in pg_shadow is correctly supplied:
 
-host         template1   192.168.12.10 255.255.255.255    crypt
+host         template1   192.168.12.10 255.255.255.255    md5
 
 # In the absence of preceding "host" lines, these two lines will reject
 # all connection attempts from 192.168.54.1 (since that entry will be
@@ -377,11 +388,11 @@ host         all        192.168.0.0    255.255.0.0        ident     omicron
    </para>
 
    <para>
-    To restrict the set of users that are allowed to connect to
-    certain databases, list the set of users in a separate file (one
-    user name per line) in the same directory that
-    <filename>pg_hba.conf</> is in, and mention the (base) name of the
-    file after the <literal>password</> or <literal>crypt</> keyword,
+    To restrict the set of users that are allowed to connect to certain
+    databases, list the set of users in a separate file (one user name
+    per line) in the same directory that <filename>pg_hba.conf</> is in,
+    and mention the (base) name of the file after the
+    <literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
     respectively, in <filename>pg_hba.conf</>. If you do not use this
     feature, then any user that is known to the database system can
     connect to any database (so long as he passes password
@@ -414,8 +425,8 @@ host         all        192.168.0.0    255.255.0.0        ident     omicron
    </para>
 
    <para>
-    Alternative passwords cannot be used when using the
-    <literal>crypt</> method. The file will still be evaluated as
+    Alternative passwords cannot be used when using the <literal>md5</>
+    or <literal>crypt</> methods. The file will still be evaluated as
     usual but the password field will simply be ignored and the
     <literal>pg_shadow</> password will be used.
    </para>
diff --git a/doc/src/sgml/jdbc.sgml b/doc/src/sgml/jdbc.sgml
index 0d02c03967..3063ee432d 100644
--- a/doc/src/sgml/jdbc.sgml
+++ b/doc/src/sgml/jdbc.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.20 2001/03/11 11:06:59 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/Attic/jdbc.sgml,v 1.21 2001/08/16 16:24:15 momjian Exp $
 -->
 
  <chapter id="jdbc">
@@ -162,7 +162,7 @@ java uk.org.retep.finder.Main
     <filename>pg_hba.conf</filename> file may need to be configured.
     Refer to the <citetitle>Administrator's Guide</citetitle> for
     details.  The <acronym>JDBC</acronym> Driver supports trust,
-    ident, password, and crypt authentication methods.
+    ident, password, and md5, crypt authentication methods.
    </para>
   </sect2>
  </sect1>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 2fd417e613..c139f93f71 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.58 2001/08/16 04:27:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -501,19 +501,16 @@ ClientAuthentication(Port *port)
 			status = recv_and_check_password_packet(port);
 			break;
 
-		case uaMD5:
-			sendAuthRequest(port, AUTH_REQ_MD5);
-			if ((status = recv_and_check_password_packet(port)) == STATUS_OK)
-				break;
-			port->auth_method = uaCrypt;
-			/* Try crypt() for old client */
-			/* FALL THROUGH */
-			
 		case uaCrypt:
 			sendAuthRequest(port, AUTH_REQ_CRYPT);
 			status = recv_and_check_password_packet(port);
 			break;
 
+		case uaMD5:
+			sendAuthRequest(port, AUTH_REQ_MD5);
+			status = recv_and_check_password_packet(port);
+			break;
+
 		case uaTrust:
 			status = STATUS_OK;
 			break;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f9e7898fb1..cfafa712e1 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.63 2001/08/16 04:27:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.64 2001/08/16 16:24:15 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -226,9 +226,10 @@ parse_hba_auth(List *line, ProtocolVersion proto, UserAuth *userauth_p,
 			*userauth_p = uaKrb5;
 		else if (strcmp(token, "reject") == 0)
 			*userauth_p = uaReject;
-		else if (strcmp(token, "crypt") == 0)
-			/* Try MD5 first; on failure, switch to crypt() */
+		else if (strcmp(token, "md5") == 0)
 			*userauth_p = uaMD5;
+		else if (strcmp(token, "crypt") == 0)
+			*userauth_p = uaCrypt;
 		else
 			*error_p = true;
 		line = lnext(line);
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index a489b78a70..d7498717b5 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -115,13 +115,15 @@
 # 		utility. Remember, these passwords override pg_shadow
 # 		passwords.
 # 
-#   crypt:  	Same as "password", but authentication is done by
+#   md5:  	Same as "password", but authentication is done by
 #		encrypting the password sent over the network. This is
 #		always preferable to "password" except for old clients
-#		that don't support "crypt". Also, crypt can use
-#		usernames stored in secondary password files but not
-#		secondary passwords.
+#		that don't support it. Also, md5 can use usernames stored
+#		in secondary password files but not secondary passwords.
 # 
+#   crypt:  	Same as "md5", but uses crypt for pre-7.2 clients.  You can
+#		not store encrypted passwords if you use this option.
+#
 #   ident:	For TCP/IP connections, authentication is done by contacting
 #		the ident server on the client host.  (CAUTION: this is only
 #		as secure as the client machine!)  On machines that support
@@ -173,7 +175,7 @@
 # if the user's password in pg_shadow is correctly supplied:
 # 
 # TYPE       DATABASE    IP_ADDRESS    MASK               AUTH_TYPE  AUTH_ARGUMENT
-# host       template1   192.168.12.10 255.255.255.255    crypt
+# host       template1   192.168.12.10 255.255.255.255    md5
 # 
 # In the absence of preceding "host" lines, these two lines will reject
 # all connection from 192.168.54.1 (since that entry will be matched
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 11f052d363..da506d7aee 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
  *	  Interface to hba.c
  *
  *
- * $Id: hba.h,v 1.23 2001/08/15 18:42:15 momjian Exp $
+ * $Id: hba.h,v 1.24 2001/08/16 16:24:16 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -36,8 +36,7 @@ typedef enum UserAuth
 	uaIdent,
 	uaPassword,
 	uaCrypt,
-	uaMD5		/* 	This starts as uaCrypt from pg_hba.conf, but gets 
-					overridden if the client supports MD5 */
+	uaMD5
 } UserAuth;
 
 typedef struct Port hbaPort;