Thread: Encrypted Passwords
How does postgres calculate the MD5 version of a password to store in the database during user creation? I am trying to set up a postgres JDBCRealm to work with Tomcat. The problem is that the resulting digest from Java is different then the digest stored in the database for the same word. clear-text: tomcat java: 1b359d8753858b55befa0441067aaed3 postgres: md5efcc1c51a80be13b59cdb96d758a0184 -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460
Perl also came up with the same digest as Java. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 > How does postgres calculate the MD5 version of a password to store > in the database during user creation? I am trying to set up a > postgres JDBCRealm to work with Tomcat. The problem is that the > resulting digest from Java is different then the digest stored in > the database for the same word. > > clear-text: tomcat > java: 1b359d8753858b55befa0441067aaed3 > postgres: md5efcc1c51a80be13b59cdb96d758a0184 > > -- > Robert Abernethy IV > Dynamic Edge, Inc. > 734.975.0460 > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
Rob Abernethy IV wrote: > How does postgres calculate the MD5 version of a password to store in the > database during user creation? I am trying to set up a postgres JDBCRealm to > work with Tomcat. The problem is that the resulting digest from Java is > different then the digest stored in the database for the same word. > > clear-text: tomcat > java: 1b359d8753858b55befa0441067aaed3 > postgres: md5efcc1c51a80be13b59cdb96d758a0184 What did you use as salt? PostgreSQL users the user name as salt. When I run /contrib/pgcrypto's MD5 I get the same value as PostgreSQL. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Can you tell postgres *NOT* to use a salt when calculating the MD5 digest? I found that it prepends the username to the password before making the calculation. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 > Perl also came up with the same digest as Java. > > -- > Robert Abernethy IV > Dynamic Edge, Inc. > 734.975.0460 > > > How does postgres calculate the MD5 version of a password to store > > in the database during user creation? I am trying to set up a > > postgres JDBCRealm to work with Tomcat. The problem is that the > > resulting digest from Java is different then the digest stored in > > the database for the same word. > > > > clear-text: tomcat > > java: 1b359d8753858b55befa0441067aaed3 > > postgres: md5efcc1c51a80be13b59cdb96d758a0184 > > > > -- > > Robert Abernethy IV > > Dynamic Edge, Inc. > > 734.975.0460 > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly
"Rob Abernethy IV" <abernethy@dynedge.com> writes: > Can you tell postgres *NOT* to use a salt when calculating the MD5 > digest? No, and you wouldn't want to. The salt is an essential security feature. regards, tom lane
Well, actually I *do* want to. My goal is to be able to use my existing set of database users to authenticate to web apps running in Tomcat. Tomcat allows you to set up a JDBC Realm for authentication, which lets you connect to a database and use usernames and passwords from that database. The problem is that Tomcat computes the digest without a salt and, therefore, authentication is failing because the two digested versions of the same password are different. Has anyone else used postgres to set up a JDBC Realm? Can anyone suggest any alternatives? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 > "Rob Abernethy IV" <abernethy@dynedge.com> writes: > > Can you tell postgres *NOT* to use a salt when calculating the MD5 > > digest? > > No, and you wouldn't want to. The salt is an essential security > feature. > > regards, tom lane
> The problem > is that Tomcat computes the digest without a salt and, therefore, > authentication is failing because the two digested versions of the same > password are different. If there is not a feature within Tomcat to allow adding the username as a salt to the MD5 hash, then Tomcat is broken. This is so common, I cannot imagine any product bothering to implement MD5 hashing without allowing a fairly generic salting API call. Thankfully, Tomcat comes with source, so it can be fixed if, indeed, it is broken. Do not waste any energy trying to get Postgres to not salt the hash, you'd be using energy ruining one product instead of fixing another. -- Tim Ellis Senior Database Architect