Skip site navigation (1) Skip section navigation (2)

Re: Postgresql security checks

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Josh Kupershmidt <schmiddy(at)gmail(dot)com>
Cc: Thom Brown <thom(at)linux(dot)com>, Machiel Richards <machielr(at)rdc(dot)co(dot)za>, "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org>
Subject: Re: Postgresql security checks
Date: 2010-09-07 23:10:22
Message-ID: 201009072310.o87NAMw01687@momjian.us (view raw or flat)
Thread:
Lists: pgsql-novice
Josh Kupershmidt wrote:
> On Wed, Sep 1, 2010 at 5:02 AM, Thom Brown <thom(at)linux(dot)com> wrote:
> 
> > SELECT usename
> > FROM pg_shadow
> > WHERE passwd = 'md5' || md5(usename)
> > OR passwd = 'md5' || md5('company_password');
> 
> I think this query should be:
> 
>   SELECT usename
>     FROM pg_shadow
>     WHERE passwd = 'md5' || md5(usename || usename) OR
>                    passwd = 'md5' || md5('company_password' || usename);
> 
> Since the md5 passwords in pg_shadow (and pg_authid) are created as:
>   MD5(password || username)
> 
> By the way, the documentation pages for pg_authid and pg_shadow don't
> mention that md5 passwords are stored in this fashion, perhaps they
> should? Or is this fact documented somewhere else I'm not seeing?

It is documented here:

	http://www.postgresql.org/docs/9.0/static/encryption-options.html
	17.7. Encryption Options
	Encrypting Passwords Across A Network
	
	    The MD5 authentication method double-encrypts the password on the
	client before sending it to the server. It first MD5-encrypts it based
	on the user name, and then encrypts it based on a random salt sent by
	the server when the database connection was made. It is this
	double-encrypted value that is sent over the network to the server.
	Double-encryption not only prevents the password from being discovered,
	it also prevents another connection from using the same encrypted
	password to connect to the database server at a later time. 

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +

In response to

Responses

pgsql-novice by date

Next:From: Thom BrownDate: 2010-09-07 23:13:53
Subject: Re: Postgresql security checks
Previous:From: Turner, John JDate: 2010-09-07 18:54:02
Subject: Re: Fwd: StackBuilder can't fetch application list?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group