Обсуждение: [GENERAL] Client Authentication methods
Hi All,
I am trying to understand the Authentication method in pg_hba.conf file (password & md5) in PostgreSQL database server.
I am assuming that the user provides the connection string host/usser/password,then client will go and contact the DB server pg_hba.conf file in memory without carrying password over the network initially, and then it confirms the authentication method from pg_hba.conf ,then it decides weather it send clear text or md5 encrypted password from client to Server to make a session?
Is my assumption is correct ? or What exactly it make the difference for client if i use md5/password in pg_hba.conf file in DB server?.
Thanks,
chiru
chiru r wrote: > Hi All, > > I am trying to understand the Authentication method in pg_hba.conf file (password & md5) in > PostgreSQL database server. > > I am assuming that the user provides the connection string host/usser/password,then client will go > and contact the DB server pg_hba.conf file in memory without carrying password over the network > initially, and then it confirms the authentication method from pg_hba.conf ,then it decides weather > it send clear text or md5 encrypted password from client to Server to make a session? > > Is my assumption is correct ? or What exactly it make the difference for client if i use > md5/password in pg_hba.conf file in DB server?. > Your assumptions sound consistent with documentation appearing at https://www.postgresql.org/docs/10/static/protocol-flow.html https://www.postgresql.org/docs/10/static/auth-methods.html -- B -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
On 2017-11-10 08:25:24 -0500, chiru r wrote: > I am trying to understand the Authentication method in pg_hba.conf file > (password & md5) in PostgreSQL database server. > > I am assuming that the user provides the connection string host/usser/ > password,then client will go and contact the DB server pg_hba.conf file in > memory without carrying password over the network initially, and then it > confirms the authentication method from pg_hba.conf ,then it decides weather it > send clear text or md5 encrypted password from client to Server to make a > session? I'm not sure what "it" refers to in this sentence. If "it" refers to the client (as grammatically it should) then the answer is no. The client doesn't have access to the pg_hba.conf file. The client connects to the server, sending the username and database name, but not (yet) the password. Then the server checks the pg_hba.conf file to determine which authentication method to use. The server then sends an authentication request to the client, to which the client sends a response (including, or based on, the password). > Is my assumption is correct ? or What exactly it make the difference for client > if i use md5/password in pg_hba.conf file in DB server?. See https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-PASSWORD With method password, passwords are sent in plain text. With md5, an md5 hash of the password, the username, and a nonce is sent instead. hp -- _ | Peter J. Holzer | we build much bigger, better disasters now |_|_) | | because we have much more sophisticated | | | hjp@hjp.at | management tools. __/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>