Home > mailing lists

Re: Postgresql security checks - Mailing list pgsql-novice

From	Josh Kupershmidt
Subject	Re: Postgresql security checks
Date	September 1, 2010 15:18:08
Msg-id	AANLkTi=0bKbfvm2L4QVtJfbNXTbR8frAS5dvbLqAAWdw@mail.gmail.com Whole thread Raw
In response to	Re: Postgresql security checks (Thom Brown <thom@linux.com>)
Responses	Re: Postgresql security checks (Thom Brown <thom@linux.com>) Re: Postgresql security checks (Bruce Momjian <bruce@momjian.us>)
List	pgsql-novice

Tree view

On Wed, Sep 1, 2010 at 5:02 AM, Thom Brown <thom@linux.com> wrote:

> SELECT usename
> FROM pg_shadow
> WHERE passwd = 'md5' || md5(usename)
> OR passwd = 'md5' || md5('company_password');

I think this query should be:

  SELECT usename
    FROM pg_shadow
    WHERE passwd = 'md5' || md5(usename || usename) OR
                   passwd = 'md5' || md5('company_password' || usename);

Since the md5 passwords in pg_shadow (and pg_authid) are created as:
  MD5(password || username)

By the way, the documentation pages for pg_authid and pg_shadow don't
mention that md5 passwords are stored in this fashion, perhaps they
should? Or is this fact documented somewhere else I'm not seeing?

Josh

pgsql-novice by date:

From: "Jean-Yves F. Barbier"
Date: 01 September 2010, 11:01:19
Subject: Re: Database size in specific metrics

From: Thom Brown
Date: 01 September 2010, 15:33:44
Subject: Re: Postgresql security checks

Re: Postgresql security checks - Mailing list pgsql-novice

Previous

Next