Improve wording of authentication files.

0bba6bdb · Bruce Momjian · 2c5aa2ac · 0bba6bdb · 0bba6bdb · 0bba6bdb
Commit 0bba6bdb authored Jun 18, 2001 by Bruce Momjian
4 changed files
--- a/doc/src/sgml/ref/pg_passwd.sgml
+++ b/doc/src/sgml/ref/pg_passwd.sgml
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/Attic/pg_passwd.sgml,v 1.6 2001/02/20 01:16:49 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/Attic/pg_passwd.sgml,v 1.7 2001/06/18 16:11:30 momjian Exp $
 Postgres documentation
 -->
@@ -16,7 +16,7 @@ Postgres documentation
 <refnamediv>
  <refname>pg_passwd</refname>
-  <refpurpose>Manipulate a text password file</refpurpose>
+  <refpurpose>Manipulate a secondary password file</refpurpose>
 </refnamediv>
 <refsynopsisdiv>
@@ -29,30 +29,28 @@ Postgres documentation
 <refsect1 id="app-pg-passwd-description">
  <title>Description</title>
  <para>
-   <application>pg_passwd</application> is a tool to manipulate a flat
+   <application>pg_passwd</application> is a tool for manipulating flat
-   text password file for the purpose of using that file to control
+   text password files. These files can control client authentication of
-   client authentication of the
+   the <productname>PostgreSQL</productname> server. More information
-   <productname>PostgreSQL</productname> server.  More information
   about setting up this authentication mechanism can be found in the
   <citetitle>Administrator's Guide</citetitle>.
  </para>
  <para>
-   The form of a text password file is one entry per line; the fields
+   The format of a text password file is one entry per line; the fields
-   of each entry are separated by colons.  The first field is the user
+   of each entry are separated by colons. The first field is the user
-   name, the second field is the encrypted password.  Other fields are
+   name, the second field is the encrypted password. Other fields are
   ignored (to allow password files to be shared between applications
-   that use similar formats).  The functionality of the
+   that use similar formats). <application>pg_passwd</application>
-   <application>pg_passwd</application> utility is to enable a user to
+   enables users to interactively add entries to such a file, to alter
-   interactively add entries to such a file, to alter passwords of
+   passwords of existing entries, and to encrypt such passwords.
-   existing entries, and to take care of encrypting the passwords.
  </para>
  <para>
-   Supply the name of the password file as argument to the <application>pg_passwd</application>
+   Supply the name of the password file as argument to the
-   command.  To be of use for client authentication the file needs to
+   <application>pg_passwd</application> command. To be used by
-   be located in the server's data directory, and the base name of
+   PostgreSQL, the file needs to be located in the server's data
-   the file needs to be specified in the
+   directory, and the base name of the file needs to be specified in the
   <filename>pg_hba.conf</filename> access control file.
 <screen>
@@ -90,11 +88,11 @@ host  mydb     133.65.96.250   255.255.255.255 password passwords
  <note>
   <para>
-    It is also useful to have entries in a password file with an empty
+    It is also useful to have entries in a password file with empty
-    password field.  (This is different from an empty password.)
+    password fields. (This is different from an empty password.) Such
-    These entries cannot be managed by
+    entries allow you to restrict users who can access the system. These
-    <application>pg_passwd</application>, but it is always possible to
+    entries cannot be managed by <application>pg_passwd</application>,
-    edit password files manually.
+    but you can edit password files manually.
   </para>
  </note>
 </refsect1>

--- a/src/backend/libpq/password.c
+++ b/src/backend/libpq/password.c
@@ -2,7 +2,7 @@
 * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $Id: password.c,v 1.36 2001/03/22 03:59:30 momjian Exp $
+ * $Id: password.c,v 1.37 2001/06/18 16:11:30 momjian Exp $
 *
 */
@@ -76,9 +76,11 @@ verify_password(const Port *port, const char *user, const char *password)
 			FreeFile(pw_file);
 			/*
-			 * If the password is empty of "+" then we use the regular
+			 * If the password is empty or "+" then we use the regular
 			 * pg_shadow passwords. If we use crypt then we have to use
-			 * pg_shadow passwords no matter what.
+			 * pg_shadow passwords no matter what.  This is because
+			 * the current code needs non-encrypted passwords to
+			 * encrypt with a random salt.
 			 */
 			if (port->auth_method == uaCrypt
 				|| test_pw == NULL || test_pw[0] == '\0'

--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
--- a/src/backend/libpq/pg_ident.conf.sample
+++ b/src/backend/libpq/pg_ident.conf.sample
-# This is the pg_ident.conf file, which is used with Postgres ident-based
+# 
-# authentication (a subtype of host-based authentication).
+# 		PostgreSQL IDENT-BASED AUTHENTICATION MAPS
+# 
-# This is a table of ident usernames (typically Unix usernames) and 
+# This file controls PostgreSQL ident-based authentication. It maps ident
-# their corresponding Postgres usernames.  For example, user "bryanh" on
+# usernames (typically Unix usernames) to their corresponding PostgreSQL
-# some particular remote system may equate to Postgres user "guest1".
+# usernames. Entries are grouped by map name. Each record consists of
+# three fields:
-# This file contains multiple maps.  Each has a name.  The pg_hba.conf
+# 
-# file determines what connections relate to this file and for those that
+# 	o map name
-# do, which map to use.
+# 	o ident username
+# 	o PostgreSQL username
-# Each record consists of 3 tokens:
+# 
-#
+# For example, the following entry equates user "james" on a remote system
-# 1) map name
+# to PostgreSQL user "guest" in the map named "phoenix":
-# 2) ident username
+# 
-# 3) Postgres username
+# MAP       IDENT    PGUSERNAME
+# phoenix   james    guest
-# Note that it is possible for one user to map to multiple Postgres usernames.
+# 
-# A user always has to specify when he connects what Postgres username he is
+# "phoenix" can now be used by an "ident" record in $DATA/pg_hba.conf.
-# using.  This file is only used to validate that selection.
+# 
+# Multiple maps may be specified in this file and used by pg_hba.conf.
-# If you just need a one-to-one correspondence between usernames reported
+# 
-# by ident and Postgres usernames, you don't need this file.  Instead use
+# Note that it is possible for a remote user to map to multiple PostgreSQL
-# the special map name "sameuser" in pg_hba.conf.
+# usernames. The PostgreSQL username specified at connection time controls
+# which one is used.
-#MAP       IDENT    POSTGRES USERNAME
+# 
+# If all ident usernames and PostgreSQL usernames are the same, you don't
-#testmap   robert   bob
+# need this file. Instead, use the special map name "sameuser" in
-#testmap   lucy     lucy
+# pg_hba.conf.
+# 
+# MAP     IDENT    PGUSERNAME