Re: Comparing md5 hash with md5 password hash - Mailing list pgsql-general

From Thom Brown
Subject Re: Comparing md5 hash with md5 password hash
Date
Msg-id AANLkTinWkutaa9eU_9qveLK35iGyi679eHvjUiCZSb6Q@mail.gmail.com
Whole thread Raw
In response to Comparing md5 hash with md5 password hash  (Michał Koba <toyman@poczta.fm>)
List pgsql-general
2011/3/2 Michał Koba <toyman@poczta.fm>
Hi
 
    We are developing application in Microsoft Access linked via ODBC with PostgreSQL 8.2 database. The ODBC Data Source is configured to login using single user and password for all users logining to our application in MS.
 
    Now. We need to check out if user that trying to login has valid user and password in PostgreSQL database. We are asking tables pg_authid and/or pg_shadow for user names and passwords. Passwords in those tables are stored in md5. We have following statement to compare password hash with password typed by user:
 
SELECT 1
FROM pg_authid
WHERE rolename='<typed_user_name>'
  AND rolpassword='md5'||md5('<typed_user_password>');
 
    But hash generated this way is different than password hash stored in pg_authid.
 
    What we are doing wrong ? Is there any possibility to checkout passwords in pg_authid table ?
 
P.S. Sorry for my awfull english.


s/rolename/rolname/

The password isn't hashed on its own; it's salted with the username, so you'd really want:

rolpassword = 'md5' || md5('password' || rolname);

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

pgsql-general by date:

Previous
From: Michał Koba
Date:
Subject: Comparing md5 hash with md5 password hash
Next
From: "chris r."
Date:
Subject: pg_dump slow with bytea data