473,216 Members | 1,462 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,216 software developers and data experts.

mod_auth_pgsql & encryption

Hi all,
I have recently installed Apache/1.3.28 +
mod_auth_pgsql-0.9.12
(http://www.giuseppetanzilli.it/mod_auth_pgsql/)

The only way I have been able to get it to
successfully authenticate against my postgres (7.3.4)
database is to turn Auth_PG_encrypted off & have
encryption turned off in postgresql.conf. I am really
uncomfortable with the idea of having unencrypted user
passwords laying about, but if I try to use an
encrypted password from the database, I get 'password
mismatch'.

I have tried:
- setting Auth_PG_pwd_table to pg_shadow,
Auth_PG_encrypted to "on"; results in "password
mismatch" error
- setting Auth_PG_pwd_table to user_auth (table I
created--docs were not clear on wether you could use
an existing table such as pg_shadow),
Auth_PG_encrypted to "on", user passwords c&pd from
pg_shadow; results in "password mismatch"
- setting Auth_PG_pwd_table to user_auth,
Auth_PG_encrypted to "on", user passwords c&pd from a
separate md5 hash program; results in "password
mismatch"
- setting Auth_PG_pwd_table to user_auth,
Auth_PG_encrypted to "off", user passwords set in
plain text; works
- setting Auth_PG_nopasswd to "on", give user a blank
password; works
- (for verification) setting Auth_PG_pwd_table back to
pg_shadow, turn encryption off in postgresql.conf, set
user password to plain text, Auth_PG_encrypted to
"off"; works

I would really like to use the existing tables
(pg_shadow, pg_group) instead of maintaining a
separate set of tables for user logins & group
assignments, assuming I get the encryption part
figured out.
Anybody have any ideas how I could go about resolving
this or troubleshooting it further? It seems to me
there is a difference between postgres's encryption
and mod_auth_pgsql's encryption. Google turned up
only a few people who'd had the same problem (no
answers to it) and people who said they'd been using
mod_auth_pgsql for a while with no problems. ???

TIA
mol

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 11 '05 #1
3 4971


On Mon, 22 Sep 2003, Molly Gibson wrote:
Hi all,
I have recently installed Apache/1.3.28 +
mod_auth_pgsql-0.9.12
(http://www.giuseppetanzilli.it/mod_auth_pgsql/)

The only way I have been able to get it to
successfully authenticate against my postgres (7.3.4)
database is to turn Auth_PG_encrypted off & have
encryption turned off in postgresql.conf. I am really
uncomfortable with the idea of having unencrypted user
passwords laying about, but if I try to use an
encrypted password from the database, I get 'password
mismatch'.


I'm personally using mod_auth_pgsql against a user table with encrypted
passwords. To properly encrypt them I am using the contrib pgcrypto
module and something like

UPDATE myusertable
SET passwd = crypt('password', gen_salt('md5'))
WHERE userid = 1;

I don't believe you can use pg_shadow to authenticate against, but some
things to look at are:

- verify that the passwords are encrypted in pg_shadow.
- try changing the value of Auth_PG_hash_type to md5

Kris Jurka

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 12 '05 #2
On Mon, 22 Sep 2003, Molly Gibson wrote:
Hi all,
I have recently installed Apache/1.3.28 +
mod_auth_pgsql-0.9.12
(http://www.giuseppetanzilli.it/mod_auth_pgsql/)

The only way I have been able to get it to
successfully authenticate against my postgres (7.3.4)
database is to turn Auth_PG_encrypted off & have
encryption turned off in postgresql.conf. I am really
uncomfortable with the idea of having unencrypted user
passwords laying about, but if I try to use an
encrypted password from the database, I get 'password
mismatch'.

I would really like to use the existing tables
(pg_shadow, pg_group) instead of maintaining a
separate set of tables for user logins & group
assignments, assuming I get the encryption part
figured out.
Anybody have any ideas how I could go about resolving
this or troubleshooting it further? It seems to me
there is a difference between postgres's encryption
and mod_auth_pgsql's encryption. Google turned up
only a few people who'd had the same problem (no
answers to it) and people who said they'd been using
mod_auth_pgsql for a while with no problems. ???


I can't help you with your problem if you insist in using PostgreSQL's
system tables.

I never thought of that because I always wrote a PHP-page where a
administrator could create/delete/lock users. And I don't like the idea
that such a program needs admin privileges on the PostgreSQL side.

I always use 2 tables and a function, that automatically adds a default
group to a newly created user. You see that I use

encode(digest('mypassword', 'md5'), 'hex')

to create an encrypted password that mod_auth_pgsql accepts.

And I modified mod_auth_pgsql to write always a record to a log table,
even if the login fails. Then I added a trigger that increases the
"failed" column and that way I can limit the number of attempts. My
..htaccess looks like that:

--snip--------------------------------------------------------------

AuthName "bluebell"
AuthType Basic
deny from all
allow from 10.66.53
allow from 127.0.0.1
satisfy any
require group intern
#
Auth_PG_host localhost
Auth_PG_port 5432
Auth_PG_user www
Auth_PG_pwd secret
Auth_PG_database db1
Auth_PG_encrypted on
Auth_PG_hash_type MD5
Auth_PG_pwd_table apache_users
Auth_PG_uid_field userid
Auth_PG_pwd_field password
Auth_PG_pwd_whereclause " and failed < (select max_failed from apache_parms) "
Auth_PG_grp_table apache_groups
Auth_PG_gid_field groupid
Auth_PG_grp_whereclause " and active = TRUE "
Auth_PG_log_table apache_log
Auth_PG_log_uname_field userid
Auth_PG_log_date_field timestamp
Auth_PG_log_uri_field uri
Auth_PG_log_addrs_field ip
Auth_PG_log_pwd_field password

--snip--------------------------------------------------------------

And the changed part of mod_auth_pgsql.c is only the added line
no. 747. Yes, it could be made faster if someone redesigned the
whole module, so we wouldn't need a trigger and simply increase
the error counter instead. But that would require more changes
on the module.

--snip--------------------------------------------------------------

736 /* if the flag is off however, keep that kind of stuff at
737 * an arms length.
738 */
739 if ((!strlen (real_pw)) || (!strlen (sent_pw)))
740 {
741 snprintf (pg_errstr, MAX_STRING_LEN,
742 "PG: user %s: Empty Password(s) Rejected", c->user);
743 ap_log_reason (pg_errstr, r->uri, r);
744 ap_note_basic_auth_failure (r);
745
746 /* -hm- 2003-07-27 */
747 pg_log_auth_user (r, sec, c->user, sent_pw);
748
749 return AUTH_REQUIRED;
750 };


--snip--------------------------------------------------------------

create table apache_users (
userid text not null
check (length(trim(userid)) > 0 and
userid ~* '^[a-z0-9_\-]+$'),
password text not null
check (length(trim(password)) >= 6)
default encode(digest('start', 'md5'), 'hex'),
name text default 'Herr/Frau Muster',
failed integer default 0,
seqno serial,
primary key (userid)
);

create table apache_groups (
userid varchar(100) not null
references apache_users (userid)
on update cascade
on delete cascade,
groupid varchar(100) not null default 'kennwortaenderung'
check (length(trim(groupid)) > 0 and
groupid ~* '^[a-z0-9_\-]+$'),
active boolean default true,
seqno serial,
primary key (userid, groupid)
);

create function apache_groups_insert_f()
returns opaque
as 'begin
insert into apache_groups (userid)
values (new.userid);
return new;
end;'
language 'plpgsql';

create trigger apache_groups_insert_tr
after insert on apache_users
for each row
execute procedure apache_groups_insert_f();

grant all on apache_users to www;
grant all on apache_users_seqno_seq to www;
grant all on apache_groups to www;
grant all on apache_groups_seqno_seq to www;
create table apache_log (
userid text,
password text,
timestamp timestamp,
uri text,
ip inet,
seqno serial
);

grant all on apache_log to www;
grant all on apache_log_seqno_seq to www;

create function apache_users_update_f()
returns opaque
as 'begin
update apache_users
set failed = 0
where userid = new.userid and
password = new.password;
update apache_users
set failed = failed + 1
where userid = new.userid and
password <> new.password;
return new;
end;'
language 'plpgsql';

create trigger apache_users_update_tr
after insert on apache_log
for each row
execute procedure apache_users_update_f();
drop table apache_parms;

create table apache_parms (
max_failed integer
);

insert into apache_parms
values (10);

grant all on apache_parms to www;

--snip--------------------------------------------------------------

--
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pk...rch=0xB5A1AFE1

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Nov 12 '05 #3
--- Holger Marzen <ho****@marzen.de> wrote:
And I
don't like the idea
that such a program needs admin privileges on the
PostgreSQL side.
Good point. I am trying to be lazy. ;)
I always use 2 tables and a function, that
automatically adds a default
group to a newly created user. .... And I modified mod_auth_pgsql to write always a
record to a log table,
even if the login fails. I was wishing for that.

My .htaccess looks like that:


....snip extensive examples...

WOW! Thank you thank you thank you! I was about
ready to give up on this. I will go back and try
again with this.

Thanks again,
mol

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Nov 12 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: Amilcar | last post by:
Hi: I have a problem: I've a page that sends an encrypted password, using MD5, to a PHP file, which is able to compare such MD5 encrypted password with an encryption stored on a data base. But...
3
by: shahid.juma | last post by:
Hi, I have an exe that I want to run with php. In the console, it works perfectly fine. There is a problem with security and it doesn't seem to run. I have tried the following after...
5
by: Bruno BAGUETTE | last post by:
> Yes, the mod_auth_pgsql series for Apache 2 is broken as you > describe. It does not release the connection, but the change > is intentional. Looking at the Changelog I see: > > - now we...
27
by: Daniel Vallstrom | last post by:
I'm having problems with inconsistent floating point behavior resulting in e.g. assert( x > 0.0 && putchar('\n') && x == 0.0 ); holding. (Actually, my problem is the dual one where I get...
0
by: sushant.bhatia | last post by:
Hi All. I'm using the NCrypto dll for RSA Encryption/Decryption (http://sourceforge.net/projects/ncrypto/). My encryption code in .Net is pretty simple. The dataToEncrypt length is 1024. The...
6
by: Marc Ris | last post by:
Hi, Following problem, and I can't find any solution for that: I have an aspx page, which will (finally) generate an XLS-File which must (can) be downloaded from the user. After that, the...
3
by: Ryan Riehle | last post by:
Hi All! Trying to upgrade to Apache 2.0.49 and getting compile errors related to mod_auth_pgsql, any clue?: make: Entering directory `/usr/src/httpd-2.0.49'...
2
by: thiyagu | last post by:
In our company for internal security compliance we need to encrypt the data to/from DB server; What is the encryption algorithm used by DB2 & what key lengths are supported in DB2 LUW v8 & v9 when...
9
by: Betikci Boris | last post by:
I get bored last night and wrote a script that uses xor for encrypt- decrypt, however it woks fine under linux 2.6.25, text and documents are ok, but fails on compressed files *.jpg, *.pdf , etc ....
1
isladogs
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.