�a��l �eker wrote:
>
> sorry, but I have another q about that md5 hashing. When I use
> a sniffer on the wire I see md5 hashes of user - probably the
> password hash. But when I compare the password hash with the
> hash on the wire I see they are different. In what format is
> the md5 hash on the wire encoded? I've tried double md5'ing but
> didn't get the right hash.
Ah, so your are snooping. The trick is that a random number is sent to
the client on connection. The client double-MD5 encrypts the
user-supplied password --- once using the username as salt, and secondly
using the random number sent by the server. That way, you can't replay
the sniffed password later to connect to the server.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073