Postgres: Problems with long passwords
I am seeing issues with a long passwords. The following works:
services:
postgresql:
image: postgres:10
ports:
- 127.0.0.1:5432:5432
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY
Now I can login with psql:
docker run -it --rm --network=host -e PGPASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY postgres:10 psql -h localhost -U admin
However, when I introduce a longer password, I cannot login anymore:
services:
postgresql:
image: postgres:10
ports:
- 127.0.0.1:5432:5432
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY
In psql:
docker run -it --rm --network=host -e PGPASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY postgres:10 psql -h localhost -U admin
FATAL: password authentication failed for user "admin"
Although I did not verify this, I believe this was introduced in https://github.com/docker-library/postgres/commit/3f585c58df93e93b730c09a13e8904b96fa20c58.
pbillen
All 7 comments
This is probably unrelated to the image, but to the behavior of initdb. More info to be found here: https://bugzilla.redhat.com/show_bug.cgi?id=785394.
Before https://github.com/docker-library/postgres/commit/3f585c58df93e93b730c09a13e8904b96fa20c58, we did not use initdb but altered the role, so we did not face this limitation.
pbillen
on 1 Oct 2018
Interesting limitation! IMO, we should probably have the script check the password length and warn if it's over 100, with some comments/links to the limitation in initdb (specifically, a link to https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org is probably warranted).
tianon
on 2 Oct 2018
Oh this is even more fun. initdb is fine, and gets the entire 101 character password (I was using 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789a so it was trivial for me to verify I had the right number of characters), and psql works fine if I type that password at the prompt, but if I set it via PGPASSWORD it does not work. So a warning is 100% sufficient here (since it only will affect users of psql).
tianon
on 2 Oct 2018
Even more, if you first initialize the container with a short password, then login with psql, then alter role X with password '... long password ...', then psql with PGPASSWORD works again. Misteries.
I agree, a warning is granted here.
pbillen
on 2 Oct 2018
Even more, if you first initialize the container with a short password, then login with
psql, thenalter role X with password '... long password ...', thenpsqlwithPGPASSWORDworks again. Misteries.
Couldn't this be automated in the container's initialization (e.g. create the role with a random password of length < 100, then execute alter role...) - if not in the Dockerfile, then on first startup?
Remigius2011
on 6 Nov 2018
This all sounds to me like there's truncation happening somewhere -- I
think a warning is appropriate until/if upstream fixes the
truncation/limit issues.
tianon
on 6 Nov 2018
This all sounds to me like there's truncation happening somewhere -- I think a warning is appropriate until/if upstream fixes the truncation/limit issues.
I agree. I would be hesitant to introduce features/changes here which aren't backed by upstream components.
pbillen
on 6 Nov 2018
Related issues
tjamet
路
4Comments
alexisrolland
路
3Comments
AndriiOmelianenko
路
4Comments
andrewvo148
路
3Comments
weeger
路
4Comments
Most helpful comment
Even more, if you first initialize the container with a short password, then login with
psql, thenalter role X with password '... long password ...', thenpsqlwithPGPASSWORDworks again. Misteries.I agree, a warning is granted here.