| Lists: | pgsql-generalpgsql-novice |
|---|
| From: | Rasputin <rasputin(at)freebsd-uk(dot)eu(dot)org> |
|---|---|
| To: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Password protection? |
| Date: | 2000-12-04 14:08:23 |
| Message-ID: | 20001204140823.A37054@dogma.freebsd-uk.eu.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general pgsql-novice |
Quick query -
I can't figure out how to password protect an username.
e.g. I'm trying to create
user: rasputin
password: obvious
createuser seems to work fine;
createuser -d -A -P -e
but psql never asks for the password, it just lets me in.
i.e. createdb -U rasputin babel
creates a database without prompting for a password.
I'm obviously missing something incredibly simple.
Postgres 7.0.3, all connections are local.
I tried tweaking the 'local' lines in
~postgres/data/pg_hba.conf (changed 'trust' to 'crypt')
and restarting postmaster, but that blocked the postgres user too!
I reckon it's that file I need to edit, but how?
(Or how do I set an initial password for the user 'postgres')
Cheers.
--
Rasputin
Jack of All Trades :: Master of Nuns
| From: | "Joel Burton" <jburton(at)scw(dot)org> |
|---|---|
| To: | Rasputin <rasputin(at)freebsd-uk(dot)eu(dot)org> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: Password protection? |
| Date: | 2000-12-04 16:21:27 |
| Message-ID: | 3A2B7E37.10126.3E261F@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general pgsql-novice |
On 4 Dec 2000, at 14:08, Rasputin wrote:
> I can't figure out how to password protect an username.
Change the line in pg_hba.conf to "password", not trust. Trust
means that the user is never prompted for a password. (this is the
default for local connections, which seems much to open for my
tastes; unfortunately, many people create their "host" Internet
lines, never having changed this.)
To create a password for the postgres user,
ALTER USER postgres WITH PASSWORD 'xxxxx';
or, to see what's really happening, look in pg_password.
--
Joel Burton, Director of Information Systems -*- jburton(at)scw(dot)org
Support Center of Washington (www.scw.org)
| From: | "Joel Burton" <jburton(at)scw(dot)org> |
|---|---|
| To: | Rasputin <rasputin(at)freebsd-uk(dot)eu(dot)org> |
| Cc: | pgsql-novice(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: [NOVICE] Password protection? |
| Date: | 2000-12-04 18:49:49 |
| Message-ID: | 3A2BA0FD.9075.C600FA@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general pgsql-novice |
On 4 Dec 2000, at 17:09, Rasputin wrote:
> On Mon, Dec 04, 2000 at 11:21:27AM -0500, Joel Burton wrote:
> > On 4 Dec 2000, at 14:08, Rasputin wrote:
> > > I can't figure out how to password protect an username.
> >
> > Change the line in pg_hba.conf to "password", not trust. Trust means
> > that the user is never prompted for a password. (this is the default
> > for local connections, which seems much to open for my tastes;
> > unfortunately, many people create their "host" Internet lines, never
> > having changed this.)
[ ... ]
> > To create a password for the postgres user,
> >
> > ALTER USER postgres WITH PASSWORD 'xxxxx';
> >
> > or, to see what's really happening, look in pg_password.
>
> Great - that's what I wanted.
> Is there an ERD for template1 anywhere?
> (If that's the right db; I have no idea how to list all the tables
> postgresql uses).
\dS in psql will list most of the tables (it doesn't show a few true
oddities, but shows all the ones that have useful or semi-useful
information.) You can query pg_class to see *ALL* relations,
including tables, sequences, views, etc.
> Yoiks! They're in plaintext! (~/data/pg_pwd in 7.0.3 apparently)
>
> I can change the line to 'crypt' instead of password,
> how do I get the crypted password into the template1 db?
>
> MySQL was something like:
>
> insert into wibble
> values (user, crptypw)
> (rasputin , crypt('obvious'))
Yes, MySQL uses a hashed-password scheme (your password is
never actually stored in MySQL, but a hash of it is).
PgSQL stores the plaintext password. Non-superusers can only look
at pg_password, where the password is starred out, but pg_shadow
shows the real passwords.
None of this (AFAIK) has anything to do w/pg_hba.conf--as far as I
understand, PG *always* uses these plaintext passwords. [Anyone
know any differently?]
This is bad (IMHO) in that a superuser can learn users' passwords
(and since users often pick that same password for a database that
they use for other things...); however, do keep in mind that, as
you can block access to the PG server based on net address, etc.,
you can [try to] still keep people at bay *even* if they got hold
somehow of your passwords. But, yes, I'd prefer hash passwords.
--
Joel Burton, Director of Information Systems -*- jburton(at)scw(dot)org
Support Center of Washington (www.scw.org)
| From: | "Joel Burton" <jburton(at)scw(dot)org> |
|---|---|
| To: | "Joel Burton" <jburton(at)scw(dot)org> |
| Cc: | pgsql-novice(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Re: [NOVICE] Password protection? |
| Date: | 2000-12-04 22:03:21 |
| Message-ID: | 3A2BCE59.15706.17738C8@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general pgsql-novice |
[ answer about PG passwords deleted ]
> PgSQL stores the plaintext password. Non-superusers can only look at
> pg_password, where the password is starred out, but pg_shadow shows
> the real passwords.
Oops! I meant "pg_user", not "pg_password". The whole
/etc/passwd and /etc/shadow playing with my mind!
--
Joel Burton, Director of Information Systems -*- jburton(at)scw(dot)org
Support Center of Washington (www.scw.org)