Skip site navigation (1) Skip section navigation (2)

Re: Postgresql security checks

From: Thom Brown <thom(at)linux(dot)com>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Josh Kupershmidt <schmiddy(at)gmail(dot)com>, Machiel Richards <machielr(at)rdc(dot)co(dot)za>, "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org>
Subject: Re: Postgresql security checks
Date: 2010-09-07 23:13:53
Message-ID: AANLkTi=pcP=T6SbbkPpEgrpSbnNqnQc72ZReTHdueMkc@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-novice
On 8 September 2010 00:10, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> Josh Kupershmidt wrote:
>> On Wed, Sep 1, 2010 at 5:02 AM, Thom Brown <thom(at)linux(dot)com> wrote:
>>
>> > SELECT usename
>> > FROM pg_shadow
>> > WHERE passwd = 'md5' || md5(usename)
>> > OR passwd = 'md5' || md5('company_password');
>>
>> I think this query should be:
>>
>>   SELECT usename
>>     FROM pg_shadow
>>     WHERE passwd = 'md5' || md5(usename || usename) OR
>>                    passwd = 'md5' || md5('company_password' || usename);
>>
>> Since the md5 passwords in pg_shadow (and pg_authid) are created as:
>>   MD5(password || username)
>>
>> By the way, the documentation pages for pg_authid and pg_shadow don't
>> mention that md5 passwords are stored in this fashion, perhaps they
>> should? Or is this fact documented somewhere else I'm not seeing?
>
> It is documented here:
>
>        http://www.postgresql.org/docs/9.0/static/encryption-options.html
>        17.7. Encryption Options
>        Encrypting Passwords Across A Network
>
>            The MD5 authentication method double-encrypts the password on the
>        client before sending it to the server. It first MD5-encrypts it based
>        on the user name, and then encrypts it based on a random salt sent by
>        the server when the database connection was made. It is this
>        double-encrypted value that is sent over the network to the server.
>        Double-encryption not only prevents the password from being discovered,
>        it also prevents another connection from using the same encrypted
>        password to connect to the database server at a later time.

The difference with that is that it's talking about how passwords are
protected by a form of encryption when sent across a connection rather
than how they're stored in a database.

-- 
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

In response to

Responses

pgsql-novice by date

Next:From: Bruce MomjianDate: 2010-09-07 23:26:05
Subject: Re: Postgresql security checks
Previous:From: Bruce MomjianDate: 2010-09-07 23:10:22
Subject: Re: Postgresql security checks

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group