md5 is double-encrypted from the client, once with the username as salt,
and a second time with random salt. The password is stored in the
server using the username only as salt. That's how we can do it so
sniffing doesn't help over the wire. crypt uses a random salt, but
doesn't encrypt when stored in the server.
---------------------------------------------------------------------------
Kurt Roeckx wrote:
> I was just reading the manual on password authentication and
> encryption.
>
> In pg_hba.conf you can say either "password", "md5", or "crypt",
> and says that controls how it goes over the line.
>
> In create/alter user you can say "encrypted" or "unencrypted",
> and it will be stored like that in the database.
>
> Is there some kind of challenge used in case the authentication
> is using md5/crypt? In case of password too if it's stored
> encrypted?
>
> Is the only case that it doesn't use a challenge maybe the case
> it's stored unencrypted and authentication method is password?
>
>
> Kurt
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073
