Обсуждение: MD5 question?
hi, I am a little confused on how md5 passwd hashes stored and used in PG. There was a discussion on this issue but it was moreconfusing for me. When I create a new user its passwd is stored as md5 hashes (I don't know if it related to hba_confmd5 line, is it??). My hba_conf requires md5 for all connections. And I can connect. Then I change a user's passwdby UPDATE pg_shadow set passwd blablabla SQL command to for example 'qwerty' without md5 hashing. Then I see the passwdin pg_shadow as clear text not md5. But I can still connect by using qwerty and md5 connection. Here I am confused.When I use update ... is it stored as clear-text. If so, when I connect it with md5, is on the wire still md5. Ifso how PG tells clear-text from md5 on the server side? Cagil SEKER (Çağıl ŞEKER) ----------------- "Yes, I am a criminal. My crime is that of outsmarting you. Something that you'll never forgive me for!" - The Mentor'86(Hacker's Manifesto) -----------------
=?iso-8859-9?B?x2Hw/Wwg3mVrZXI=?= <cagils@biznet.com.tr> writes:
> Then I change a user's passwd by UPDATE pg_shadow set passwd blablabla
> SQL command to for example 'qwerty' without md5 hashing.
You shouldn't do that. There is an ALTER USER command for changing
users' passwords. Any time you directly hack on the system catalogs,
it's up to you to know what you are doing and what the consequences
will be.
regards, tom lane
�a��l �eker wrote: > > > hi, > > I am a little confused on how md5 passwd hashes stored and used > in PG. There was a discussion on this issue but it was more > confusing for me. When I create a new user its passwd is stored > as md5 hashes (I don't know if it related to hba_conf md5 line, > is it??). My hba_conf requires md5 for all connections. And I > can connect. Then I change a user's passwd by UPDATE pg_shadow > set passwd blablabla SQL command to for example 'qwerty' without > md5 hashing. Then I see the passwd in pg_shadow as clear text > not md5. But I can still connect by using qwerty and md5 > connection. Here I am confused. When I use update ... is it > stored as clear-text. If so, when I connect it with md5, is on > the wire still md5. If so how PG tells clear-text from md5 on > the server side? > You basically can store pg_shadow as MD5-encrypted passwords, or plaintext. Both can pass MD5 across the wire. pg_shadow encryptoin is controlled by the CREATE/ALTER USER ENCRYPTION PASSWORD option, and in postgresql.conf using password_encryption. In 7.2, plaintext was default, but in 7.3, encrypted is the default. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073