| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Fernando Moreno <azazel(dot)7(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: [GENERAL] db_user_namespace, md5 and changing passwords |
| Date: | 2008-11-13 15:06:05 |
| Message-ID: | 18900.1226588765@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> I am unsure of exactly where this thing hacks into the authentication
> stream, but is it really only MD5 that fails?
The problem with md5 is that the username is part of the encryption salt
for the stored password, so changing it breaks that --- the client will
hash the password with what it thinks the username is, but the stored
password in pg_authid is hashed with what the server thinks the username
is.
You might be right that some other auth methods have an issue too,
but md5 is the only one anyone's ever reported a problem with. That
might or might not just represent lack of testing.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sam Mason | 2008-11-13 15:11:37 | Re: Suboptimal execution plan for simple query |
| Previous Message | Grzegorz Jaśkiewicz | 2008-11-13 14:59:34 | Re: sort_mem param of postgresql.conf |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-11-13 15:15:15 | Suppress leap-second timezones in pg_timezone_names view? |
| Previous Message | Magnus Hagander | 2008-11-13 14:48:17 | Re: [GENERAL] db_user_namespace, md5 and changing passwords |