#9 Authentication against postgres users require unencrypted pa

[Jan Dittberner]

The following issue has been submitted to the Debian bug tracker as #594721 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594721):

When you want to have fallback authentication schemes in postgresql, you need to
set up postgres to use pam, and then pam to use postgresql and others.

This can be accomplished with having pam rather than md5 in pg_hba.conf file.

Then you need to set up /etc/pam.d/postgres like
auth sufficient pam_pgsql.so
account sufficient pam_pgsql.so

And finally have /etc/pam_pgsql.conf like:
database = postgres
user = postgres
table = pg_catalog.pg_shadow
user_column = usename
pwd_column = passwd
;expired_column = acc_expired
;newtok_column = acc_new_pwreq
debug=1

The problem is that the hashed passwords of postgres uses an unsupported
algorithm, returning 'md5'||md5hash(password||login)

The only way I found to have pam support in postgres works is to add to
pam_pgsql.conf:
pw_type=clear
and in postgresql.conf
password_encryption = off
then restart postgres then reset my password.

Storing plaintext password is obviously Bad. IMHO, requiring that looks like a
major problem.

pam-pgsql should support postgres own hash algorithm.

The attached patch fixes the problem by adding a new mechanism md5_postgres and implementing code for using this mechanism.

[Jan Dittberner]