The md5_postgres method does not match the way postgres does it - there is a missing 'md5' from the hash:
Example:
template1=# alter user bma with encrypted password 'foobar';
ALTER ROLE
template1=# select passwd from pg_shadow where usename = 'bma';
passwd
md540056e0a5328aab9feb305ff9ffd390f
(1 row)
By adding some debug statements to src/backend_pgsql.c, we get the following:
Nov 9 21:41:30 labkey-test PAM_pgsql[29443]: encrypted foobarbma to 40056e0a5328aab9feb305ff9ffd390f
Nov 9 21:41:30 labkey-test PAM_pgsql[29443]: stored_pw = md540056e0a5328aab9feb305ff9ffd390f, tmp = 40056e0a5328aab9feb305ff9ffd390f
md5_postgres will always fail to authenticate the user without the md5 prefix, unless the user does a custom query to strip the 'md5' prefix coming out of the database.
add Debian patch for this issue
Ticket moved from /p/pam-pgsql/bugs/12/