From: | Çağıl Şeker <cagils(at)biznet(dot)com(dot)tr> |
---|---|
To: | "PostgreSQL-General-List (E-mail)" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: MD5 passwords explained (was Re: md5 hash question (2)) |
Date: | 2002-12-10 10:06:26 |
Message-ID: | 94327A2FE8C87C4C89A82DBE9E7B2B3F08688D@beetle.biznet.com.tr |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> -----Original Message-----
> From: Magnus Naeslund(f) [mailto:mag(at)fbab(dot)net]
>
> There seems to be some confusion regarding the md5
> authentication method
> used in postgresql, and i thought it might be good if i typed this
> message so that it can be referred to if anyone asks these questions
> again.
>
> Someone will surely correct me if i'm wrong :)
>
> The password in the database is stored like this:
>
> md5passwd = "md5"+md5(cleartxtpasswd+user);
--- Here something must be wrong ---
I've created a user 't' with thw passwd 't'. The md5 shadow is:
"md5accc9105df5383111407fd5b41255e23"
Then:
echo "tt" | md5sum
"821ccb7eb5157bb2ab3727dc2845d62b"
echo "t+t" | md5sum
6860f8721849d643fe95e0b65a423341
which is different.
>
> When connecting and authenticating this happens:
>
> The server generates a random salt (nonce) and sends it to
> the client.
>
> md5salt = 4 random chars
>
> The client then does this:
>
> md5hash = md5(md5(cleartxtpasswd+user)+md5salt)
>
> and sends it to the server.
>
> The server then does the same on it's side and compares the
> result with
> the hash gotten from the client. If they match the password
> is correct.
>
> This is standard MAC / shared secret stuff.
>
> It's done do avoid sending clear text passwords (or even the
> stored md5
> password, to prevent brute force cracking) over the wire.
>
> Regards
> Magnus
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Oleg Bartunov | 2002-12-10 10:15:44 | Re: Full text indexing - Burrows-Wheeler + suffix arrays |
Previous Message | Magnus Naeslund(f) | 2002-12-10 09:56:31 | MD5 passwords explained (was Re: md5 hash question (2)) |