Re: Programming interfaces when using MD5 authentication

Hi,

I can only answer for the database part. This is on postgres 8.3.8.
The passwords can be checked against the table pg_shadow using this algorithm:
'md5'||md5(<password>||<username>)

HTH,

WBL

On Fri, Oct 2, 2009 at 1:48 AM, Preston de Guise <preston(at)anywebdb(dot)com> wrote:
> Hi,
>
> I apologise in advance if this is considered the wrong list to post onto. I
> couldn't find specific details for joining a DBD::Pg style mailing list so
> I'm hoping this is something that's relatively well known about by general
> PostgreSQL developers anyway.
>
> Using Perl to program interfaces to PostgreSQL, and had previously
> misunderstood how md5 password authentication worked, so I'm now re-doing
> it, but struggling to find out how DBD::Pg might be used to actually
> authenticate by passing an md5 of the password instead of the real thing.
>
> I understand from various reading that the md5 should be a double-process
> consisting of:
>
> phase1 = md5(password <concat> username)
> password_to_use = md5(phase1 <concat> salt)
>
> What I don't understand is how to "extract" the salt required to complete
> the second phase.
>
> Effectively what I'm hoping for is to be able to do something along the
> lines of:
>
> ---------------------------------------------------------------
> #!/usr/local/bin/perl -w
>
> use strict;
> use DBI;
> use Digest::MD5 qw(md5_hex);
> use DBD::Pg;
>
> my $user = "currentuser";
> my $pass = md5_hex("supersecretpassword" . $user);
>
> my $dbh = DBI->connect("dbi:Pg:dbname=monitoring","$user",$pass, {
> PrintError => 1 });
> if (defined($dbh)) {
>        $dbh->disconnect();
>        print "Successful\n";
> } else {
>        print "Failed!!\n";
> }
> ---------------------------------------------------------------
>
> In the above, if I prepend "md5" to the $pass variable I obviously get what
> exactly matches the content of the pg_shadow table entry for the given user
> ... however, either way the connection isn't successful because (from what
> I've been able to discern) I actually need to submit:
>
> md5 <concat> md5($pass <concat> salt)
>
> Can DBD::Pg be used for these connections? If anyone has experience in this
> I'd much appreciate your thoughts or suggestions. (I realise the "connect"
> function is from DBI, but it seems to me that the use of the salt required
> to properly authenticate will be specific somehow to DBD::Pg usage.)
>
> Cheers,
>
> Preston.
>
> --
> Preston de Guise
> http://www.enterprisesystemsbackup.com
>
>
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
"Patriotism is the conviction that your country is superior to all
others because you were born in it." -- George Bernard Shaw