Stephen Frost wrote:
>Is it actually doing challenge-response where the challenge is different
>each time?
>
The docs say:
AuthenticationMD5Password
The frontend must now send a PasswordMessage containing the password encrypted via MD5, using the 4-character salt
specifiedin the AuthenticationMD5Password message. If this is the correct password, the server responds with an
AuthenticationOk,otherwise it responds with an ErrorResponse.
A little investigation reveals that this is port->md5salt which is 4
random bytes set up fresh per connection (see src/backend/libpq/auth.c
and src/backend/postmaster/postmaster.c). So it seems indeed to be a
true (small) one time challenge token, unless I've missed something.
cheers
andrew