Participants
Stephen Frost
Stephen Frost
Joshua D. Drake
Joshua D. Drake
Tom Lane
Tom Lane
Attachments

No attachments in this thread

Thread Outline
#1Joshua D. DrakeJoshua D. Drake
Mar 24, 2006
#2Stephen FrostStephen Frostto Joshua D. Drake (#1)
Mar 24, 2006
#3Tom LaneTom Laneto Stephen Frost (#2)
Mar 24, 2006
#4Stephen FrostStephen Frostto Tom Lane (#3)
Mar 24, 2006

Known but bad behavior with alter user?

Started by Joshua D. Drakealmost 20 years ago4 messages
#1Joshua D. Drake
Joshua D. Drake
jd@commandprompt.com

Hello,

Take the following:

template1=# alter user foo rename to bar;
NOTICE: MD5 password cleared because of role rename
NOTICE: MD5 password cleared because of role rename
ALTER ROLE
template1=#

Now we have to reset the password.. which seems an extra
step that shouldn't be required.

Joshua D. Drake

#2Stephen Frost
Stephen Frost
sfrost@snowman.net
In reply to: Joshua D. Drake (#1)
Re: Known but bad behavior with alter user?

* Joshua D. Drake (jd@commandprompt.com) wrote:

template1=# alter user foo rename to bar;
NOTICE: MD5 password cleared because of role rename
NOTICE: MD5 password cleared because of role rename
ALTER ROLE
template1=#

Now we have to reset the password.. which seems an extra
step that shouldn't be required.

Wouldn't this be because the username is used as the salt for MD5 and so
there's no way to update the password because the system doesn't know
the original password?

Enjoy,

Stephen

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Stephen Frost (#2)
Re: Known but bad behavior with alter user?

Stephen Frost <sfrost@snowman.net> writes:

* Joshua D. Drake (jd@commandprompt.com) wrote:

template1=3D# alter user foo rename to bar;
NOTICE: MD5 password cleared because of role rename

Now we have to reset the password.. which seems an extra
step that shouldn't be required.

Wouldn't this be because the username is used as the salt for MD5 and so
there's no way to update the password because the system doesn't know
the original password?

Yeah. This isn't changing unless you have an alternative that's not
worse (ie, doesn't defeat the purpose of storing an encrypted password).

regards, tom lane

#4Stephen Frost
Stephen Frost
sfrost@snowman.net
In reply to: Tom Lane (#3)
Re: Known but bad behavior with alter user?

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Stephen Frost <sfrost@snowman.net> writes:

* Joshua D. Drake (jd@commandprompt.com) wrote:

template1=3D# alter user foo rename to bar;
NOTICE: MD5 password cleared because of role rename

Now we have to reset the password.. which seems an extra
step that shouldn't be required.

Wouldn't this be because the username is used as the salt for MD5 and so
there's no way to update the password because the system doesn't know
the original password?

Yeah. This isn't changing unless you have an alternative that's not
worse (ie, doesn't defeat the purpose of storing an encrypted password).

Well, you could use a random salt and then keep track of that random
salt. Of course, there are issues with this: either the salt has to be
provided to the client in order to use it to generate the MD5 to send to
the server for authorization, or the client has to send the password in
the clear to the server (the normal unix/PAM method) so the server can
use the stored random salt to generate the MD5 to compare to the stored
hashed password.

The first case would change our protocol (I believe) and would provide
the random salt to anyone who asked (which means using a random salt
instead of the username doesn't gain us very much). The second case
would mean the plaintext password would be sent in the clear to the
server meaning anyone eavesdropping, or an admin on the server, would be
able to get at the password. Now, I think an admin could still get the
client to send the password in the clear if s/he changed pg_hba.conf
appropriately, and anyone eavesdropping would be able to get whatever is
required to authenticate in any case, though perhaps wouldn't be able to
reuse that information for other servers (such as if it had been a
plaintext password which was used elsewhere).

Enjoy,

Stephen

← Back to Topics