Re: pg_hba.conf - md5 - Mailing list pgsql-general

From Michael Fuhr
Subject Re: pg_hba.conf - md5
Date
Msg-id 20070609133944.GA31527@winnie.fuhr.org
Whole thread Raw
In response to pg_hba.conf - md5  (Vince <vincej@gmail.com>)
List pgsql-general
On Sat, Jun 09, 2007 at 02:43:06AM -0700, Vince wrote:
> I want to access by postgre db over the internet.  My pg_hba.conf if
> setup to do this:
> host    all         all         0.0.0.0/0    md5
>
> Now, what I don't understand is how does the "md5" effect things?

It causes the password exchange between the client and the server
to hash the user's password with a salt (random value) that the
server sends.  This prevents the password from being passed in the
clear and it aims to prevent replay attacks, where an attacker who
had sniffed a previous session could respond to the server's challenge
without knowing the password by resending the same response it had
seen before (such an attack would still work in the unlikely -- but
possible -- event that the attacker had sniffed a previous session
that used the same salt).

MD5 authentication works like this:

Client: username, databasename
Server: MD5 authentication, salt
Client: MD5(MD5(password || username) || salt)

The server performs the same calculation (the user's password is
typically already stored in the system catalogs as MD5(password ||
username).  If the results match then authentication succeeds.

> If I connect via php:
> $db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
> password=mypass');
>
> "mypass" being whatever my password is; is still set in plain text?

No.

> Why don't I have to send the md5 version of the password to connect?

Because libpq (or whatever underlying library you're using) does
that for you.

If you want to allow connections over an open network then consider
using SSL and allowing only hostssl connections from everywhere
except trusted networks.

http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html

The server could optionally require the client to present a certificate
signed by a specific CA and the client could require the same of the
server; see the discussion of root.crt for more information.

--
Michael Fuhr

pgsql-general by date:

Previous
From: Vince
Date:
Subject: pg_hba.conf - md5
Next
From: Tom Lane
Date:
Subject: Re: insane index scan times