From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Çağıl Şeker <cagils(at)biznet(dot)com(dot)tr> |
Cc: | "PostgreSQL-General-List (E-mail)" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: md5 hash question (2) |
Date: | 2002-12-10 19:05:43 |
Message-ID: | 200212101905.gBAJ5hR14876@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
al eker wrote:
>
> sorry, but I have another q about that md5 hashing. When I use
> a sniffer on the wire I see md5 hashes of user - probably the
> password hash. But when I compare the password hash with the
> hash on the wire I see they are different. In what format is
> the md5 hash on the wire encoded? I've tried double md5'ing but
> didn't get the right hash.
Ah, so your are snooping. The trick is that a random number is sent to
the client on connection. The client double-MD5 encrypts the
user-supplied password --- once using the username as salt, and secondly
using the random number sent by the server. That way, you can't replay
the sniffed password later to connect to the server.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Greg Copeland | 2002-12-10 19:19:42 | Re: [mail] Re: 7.4 Wishlist |
Previous Message | Tom Lane | 2002-12-10 17:54:05 | Re: createlang plpgsql error |