Hello,
I am trying to setup a secure scheme for the database access, for my web servers,
modifying pg_hda.conf.
What I want is :
* the connection from the http server is authenticated, from another host,
* the connection is allowed with crypted password for the Postgres superuser, from
well-known hosts
* security for the local access is left to the other levels (telnet, rexec, etc) : no
password required
* some people must have access to specific databases on the server, with an ODBC
connection
I modified the pg_hba.conf file this way, but I cannot figure out the way crypted
password work :
* must I store crypted passwords in the pg_shadow table ?
* is there a mean to allow crypted password connection for just a known user form a
known host (like if I use the password+file scheme in the pg_hba.conf file, with a
password file for each registered user)
* is the psql program send encrypted passwords if needed ? (as I can test the
connections using it)
The active lines from pg_hba.conf file looks like :
local all trust
host all 192.168.200.23 255.255.255.255 password passwd.auch
host all 192.168.200.22 255.255.255.255 crypt
With this file, I can connect from 192.168.200.22 to 192.168.200.23 (the database
resides on this machine), with "psql -h auch -u", typing the username/password as
stored in the pg_shadow table :
nhuillard=> select * from pg_shadow;
usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd |valuntil
---------+--------+-----------+--------+--------+---------+-------+----------------------------
postgres | 40|t |t |t |t | |Sat Jan 31 07:00:00
2037 CET
nhuillard| 501|t |t |t |t |thepass|
When I type the password "thepass", with the crypt security, I can access the
database. When I type the same password "thepass", with the password security, I also
have access to the database. This would means that the password is stored uncrypted in
pg_shadow, and limited to alphanum characters.
The pg_shadow table is also written to the pg_pwd file in the PG_DATA directory,
readable by everybody : this means that there is no security on my Postgres
installation ! This file is updated and chmod 666 each time I change the password with
"ALTER USER".
I installed v6.5.2 with the RPMs provided at
http://www.ramifordistat.net/postgres/RPMS/redhat-5.2
I didn't run the regression tests.
My system is Linux RH 5.2 (kernel 2.0.35).
TIA,
Nicolas Huillard
G.H.S
Directeur Technique
T�l : +33 1 43 21 16 66
Fax : +33 1 56 54 02 18
mailto:[EMAIL PROTECTED]
http://www.ghs.fr
************
