Recent changes to bugshttps://sourceforge.net/p/pam-pgsql/bugs/2014-09-27T20:51:14.588000ZRecent changes to bugs#12 md5_postgres does not include 'md5' prefix on hash2014-09-27T20:51:14.588000Z2014-09-27T20:51:14.588000ZJan Dittbernerhttps://sourceforge.net/u/jandd/https://sourceforge.nete084dbd3275a96ad8163545f1fdd95b83a408b0c<div class="markdown_content"><p>add Debian patch for this issue</p></div>#13 It is possible to login with any password if query's password is null.2014-09-27T20:48:56.231000Z2014-09-27T20:48:56.231000ZJan Dittbernerhttps://sourceforge.net/u/jandd/https://sourceforge.netd80336964da2e62c04a8ba3121bcb801ac3d853d<div class="markdown_content"><ul>
<li><strong>labels</strong>: --> patch</li>
</ul></div>#13 It is possible to login with any password if query's password is null.2014-09-27T20:48:01.156000Z2014-09-27T20:48:01.156000ZJan Dittbernerhttps://sourceforge.net/u/jandd/https://sourceforge.netb9d104789adf1fb7edf8543dd63837c0ac609cf0<div class="markdown_content"><p>attached the Debian patch for this issue</p></div>It is possible to login with any password if query's password is null.2013-01-15T14:02:45.081000Z2013-01-15T14:02:45.081000ZLucas Clemente Vellahttps://sourceforge.net/u/lvella/https://sourceforge.net66ff8264b1f482de2ea91b096f44fcf0aa95a20a<div class="markdown_content"><p>If the "pw_type" is crypt-based and the password field returned by the query is null, user is able to authenticate with any password. It is true that crypt("anything", ""); is always "", so if the crypted password is an empty string, this is (arguably) the correct behavior, but since it sounds very bad, pam_unix needs explicitly the nullok flag.</p>
<p>But the issue here is even worse: when crypt is used, pam_pgsql authenticates with any password both when the field is an empty string (arguably reasonable) and when it is null. This latter seems very bad, because no output from crypt represents a null password (although this concept is absent in original Unix).</p>
<p>In my opinion, a null password should be treated the same as no result, and should always fail.</p>
<p>A workaround is to use a query that never returns null, like:<br />
SELECT COALESCE(password, '§§INVALID') FROM auth_table;</p></div>It is possible to login with any password if query's password is null.2013-01-15T14:02:45.081000Z2013-01-15T14:02:45.081000ZLucas Clemente Vellahttps://sourceforge.net/u/lvella/https://sourceforge.netdaa439ad18a246dfdf55b1e110beea4aa6c4c648<div class="markdown_content"><p>Ticket 13 has been modified: It is possible to login with any password if query's password is null.<br />
Edited By: Jan Dittberner (jandd)</p></div>2012-09-14T18:07:57.225000Z2012-09-14T18:07:57.225000ZDeryl R. Doucettehttps://sourceforge.net/u/pgpkeys/https://sourceforge.net63b3604119927674093c51240dd9430ec0162bdd2012-09-14T18:07:55.098000Z2012-09-14T18:07:55.098000ZDeryl R. Doucettehttps://sourceforge.net/u/pgpkeys/https://sourceforge.net0a48232118bbf95cf0fbc8ee0f3b236120a3e0102012-09-14T18:07:54.772000Z2012-09-14T18:07:54.772000ZDeryl R. Doucettehttps://sourceforge.net/u/pgpkeys/https://sourceforge.net1e4f683485d738bcf2852ca88786f47dbd1e317a2012-09-14T18:07:54.703000Z2012-09-14T18:07:54.703000ZDeryl R. Doucettehttps://sourceforge.net/u/pgpkeys/https://sourceforge.netbed5ee3c6228807ff83fd1b6c60080a9e51b10d82012-09-14T18:07:54.614000Z2012-09-14T18:07:54.614000ZDeryl R. Doucettehttps://sourceforge.net/u/pgpkeys/https://sourceforge.net464c3171b6841596bc892498265d7181ef79e4a2