From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Josh Kupershmidt <schmiddy(at)gmail(dot)com> |
Cc: | Thom Brown <thom(at)linux(dot)com>, Machiel Richards <machielr(at)rdc(dot)co(dot)za>, "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
Subject: | Re: Postgresql security checks |
Date: | 2010-09-07 23:10:22 |
Message-ID: | 201009072310.o87NAMw01687@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
Josh Kupershmidt wrote:
> On Wed, Sep 1, 2010 at 5:02 AM, Thom Brown <thom(at)linux(dot)com> wrote:
>
> > SELECT usename
> > FROM pg_shadow
> > WHERE passwd = 'md5' || md5(usename)
> > OR passwd = 'md5' || md5('company_password');
>
> I think this query should be:
>
> SELECT usename
> FROM pg_shadow
> WHERE passwd = 'md5' || md5(usename || usename) OR
> passwd = 'md5' || md5('company_password' || usename);
>
> Since the md5 passwords in pg_shadow (and pg_authid) are created as:
> MD5(password || username)
>
> By the way, the documentation pages for pg_authid and pg_shadow don't
> mention that md5 passwords are stored in this fashion, perhaps they
> should? Or is this fact documented somewhere else I'm not seeing?
It is documented here:
http://www.postgresql.org/docs/9.0/static/encryption-options.html
17.7. Encryption Options
Encrypting Passwords Across A Network
The MD5 authentication method double-encrypts the password on the
client before sending it to the server. It first MD5-encrypts it based
on the user name, and then encrypts it based on a random salt sent by
the server when the database connection was made. It is this
double-encrypted value that is sent over the network to the server.
Double-encryption not only prevents the password from being discovered,
it also prevents another connection from using the same encrypted
password to connect to the database server at a later time.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
From | Date | Subject | |
---|---|---|---|
Next Message | Thom Brown | 2010-09-07 23:13:53 | Re: Postgresql security checks |
Previous Message | Turner, John J | 2010-09-07 18:54:02 | Re: Fwd: StackBuilder can't fetch application list? |