Participants
Çağıl Şeker
Çağıl Şeker
Tom Lane
Tom Lane
Bruce Momjian
Bruce Momjian
Attachments
Show all attachments
Thread Outline
#1Çağıl ŞekerÇağıl Şeker
Dec 09, 2002
#2Tom LaneTom Laneto Çağıl Şeker (#1)
Dec 09, 2002
#3Bruce MomjianBruce Momjianto Çağıl Şeker (#1)
Dec 09, 2002

MD5 question?

Started by Çağıl Şekerover 23 years ago3 messagesgeneral
Jump to latest
#1Çağıl Şeker
Çağıl Şeker
cagils@biznet.com.tr

hi,

I am a little confused on how md5 passwd hashes stored and used in PG. There was a discussion on this issue but it was more confusing for me. When I create a new user its passwd is stored as md5 hashes (I don't know if it related to hba_conf md5 line, is it??). My hba_conf requires md5 for all connections. And I can connect. Then I change a user's passwd by UPDATE pg_shadow set passwd blablabla SQL command to for example 'qwerty' without md5 hashing. Then I see the passwd in pg_shadow as clear text not md5. But I can still connect by using qwerty and md5 connection. Here I am confused. When I use update ... is it stored as clear-text. If so, when I connect it with md5, is on the wire still md5. If so how PG tells clear-text from md5 on the server side?

Cagil SEKER (Çağıl ŞEKER)
-----------------
"Yes, I am a criminal. My crime is that of outsmarting you. Something that you'll never forgive me for!" - The Mentor'86 (Hacker's Manifesto)
-----------------

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Çağıl Şeker (#1)
Re: MD5 question?

=?iso-8859-9?B?x2Hw/Wwg3mVrZXI=?= <cagils@biznet.com.tr> writes:

Then I change a user's passwd by UPDATE pg_shadow set passwd blablabla
SQL command to for example 'qwerty' without md5 hashing.

You shouldn't do that. There is an ALTER USER command for changing
users' passwords. Any time you directly hack on the system catalogs,
it's up to you to know what you are doing and what the consequences
will be.

regards, tom lane

#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Çağıl Şeker (#1)
Re: MD5 question?

���a������l ���eker wrote:

hi,

I am a little confused on how md5 passwd hashes stored and used
in PG. There was a discussion on this issue but it was more
confusing for me. When I create a new user its passwd is stored
as md5 hashes (I don't know if it related to hba_conf md5 line,
is it??). My hba_conf requires md5 for all connections. And I
can connect. Then I change a user's passwd by UPDATE pg_shadow
set passwd blablabla SQL command to for example 'qwerty' without
md5 hashing. Then I see the passwd in pg_shadow as clear text
not md5. But I can still connect by using qwerty and md5
connection. Here I am confused. When I use update ... is it
stored as clear-text. If so, when I connect it with md5, is on
the wire still md5. If so how PG tells clear-text from md5 on
the server side?

You basically can store pg_shadow as MD5-encrypted passwords, or
plaintext. Both can pass MD5 across the wire.

pg_shadow encryptoin is controlled by the CREATE/ALTER USER ENCRYPTION
PASSWORD option, and in postgresql.conf using password_encryption.

In 7.2, plaintext was default, but in 7.3, encrypted is the default.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
← Back to Topics