Re: Authenticate with hash instead of plaintext password? - Mailing list pgsql-general

From Peter Bex
Subject Re: Authenticate with hash instead of plaintext password?
Date
Msg-id 20121216162413.GQ4254@frohike.homeunix.org
Whole thread Raw
In response to Authenticate with hash instead of plaintext password?  (Murray Cumming <murrayc@murrayc.com>)
Responses Re: Authenticate with hash instead of plaintext password?
List pgsql-general
On Sun, Dec 16, 2012 at 04:54:30PM +0100, Murray Cumming wrote:
> libpq lets me open a connection by specifying a password:
> http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>
> Is there any way to specify a hash of the password when connecting, instead of
> providing the password itself?

What's the use of that?  It won't buy you any extra protection if the
hash would be accepted as-is instead of the password.  In fact, now
you would have *two* strings (instead of one) that are accepted as
equally valid passwords.

> My Web UI asks the user for a PostgreSQL
> username and password, and I want to avoid asking the user for the
> password again later, as long as they have the browser cookie that I set.

Perhaps you can encrypt it in the cookie, to prevent casual onlookers
from discovering the password.  However, if anyone can obtain the cookie
(eg via the Firesheep plugin) they can still use that to login even if
they don't know the actual password - they can just reuse the encrypted
blob.

> I've looked at the source of phpPgAdmin, which should deal with the same issue,
> but that seems to store the plaintext password in the session, which might even
> mean that the plaintext password ends up on disk, though I don't know enough about
> PHP to be sure.

The session is slightly safer than storing it directly in the cookie
because one would have to break into the server rather than access
the cookie store in the client.  However, if anyone can recover the
session id, they can connect with this user's credentials as well.

> I understand that libpq already sends only an MD5 hash to the
> PostgreSQL server, when it's configured to use MD5 authentication.

I would think that's challenge-response based, but I'm not sure.  The
documentation seems to hint that it's just the password, but hashed.

> But I don't want to have to provide a plaintext password to libpq.

Why not?  If the script lives on the server, there shouldn't be a way
for the user to recover the password even if it's put in the string.

Unfortunately, I'm not aware of any truly secure method of doing this.
Sorry!  Maybe someone else knows of a good approach.

Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                            -- Donald Knuth


pgsql-general by date:

Previous
From: aasat
Date:
Subject: How to remove n-first elements from array?
Next
From: Murray Cumming
Date:
Subject: Re: Authenticate with hash instead of plaintext password?