From: | Josh Kupershmidt <schmiddy(at)gmail(dot)com> |
---|---|
To: | Thom Brown <thom(at)linux(dot)com> |
Cc: | Machiel Richards <machielr(at)rdc(dot)co(dot)za>, "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
Subject: | Re: Postgresql security checks |
Date: | 2010-09-01 15:17:39 |
Message-ID: | AANLkTi=0bKbfvm2L4QVtJfbNXTbR8frAS5dvbLqAAWdw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
On Wed, Sep 1, 2010 at 5:02 AM, Thom Brown <thom(at)linux(dot)com> wrote:
> SELECT usename
> FROM pg_shadow
> WHERE passwd = 'md5' || md5(usename)
> OR passwd = 'md5' || md5('company_password');
I think this query should be:
SELECT usename
FROM pg_shadow
WHERE passwd = 'md5' || md5(usename || usename) OR
passwd = 'md5' || md5('company_password' || usename);
Since the md5 passwords in pg_shadow (and pg_authid) are created as:
MD5(password || username)
By the way, the documentation pages for pg_authid and pg_shadow don't
mention that md5 passwords are stored in this fashion, perhaps they
should? Or is this fact documented somewhere else I'm not seeing?
Josh
From | Date | Subject | |
---|---|---|---|
Next Message | Thom Brown | 2010-09-01 15:32:40 | Re: Postgresql security checks |
Previous Message | Jean-Yves F. Barbier | 2010-09-01 11:01:04 | Re: Database size in specific metrics |