Thread: Move passwords between databases

Move passwords between databases

From
Raj Mathur
Date:
Hi,

Using Postgresql 7.2.3 on Linux, is there an easy way to transfer user
passwords from one database to another?

I have an application that creates data (and users) centrally and then
distributes them to remote databases.  I can transfer everything else,
but do not know how to transfer MD5 passwords.

As a last resort the application could store the passwords in
plain-text in the central database and then use a remote "alter user
with encrypted password..." command to update the user's password, but
I'd rather avoid that if there is any alternative available.

I tried an "update pg_shadow set passwd=... where usename=..."

Regards,

-- Raju
--
Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

Re: Move passwords between databases

From
Raj Mathur
Date:
Erhm, the last line of the earlier mail should read:

I tried an "update pg_shadow set passwd=... where usename=..." but
that doesn't do the trick: Postgresql does not authenticate the user.

Regards,

-- Raju
--
Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

Re: Move passwords between databases

From
Tom Lane
Date:
Raj Mathur <raju@linux-delhi.org> writes:
> Using Postgresql 7.2.3 on Linux, is there an easy way to transfer user
> passwords from one database to another?

You could look at what pg_dumpall --globals-only does.

> I have an application that creates data (and users) centrally and then
> distributes them to remote databases.  I can transfer everything else,
> but do not know how to transfer MD5 passwords.

AFAIK you can just do it.  The CREATE or ALTER USER command should
recognize the password as already encrypted and not munge it.  Are
you sure you are using the correct pg_hba.conf setup on the destination
system?

            regards, tom lane

Re: Move passwords between databases

From
Raj Mathur
Date:
>>>>> "Tom" == Tom Lane <tgl@sss.pgh.pa.us> writes:

    Tom> Raj Mathur <raju@linux-delhi.org> writes:
    >> Using Postgresql 7.2.3 on Linux, is there an easy way to
    >> transfer user passwords from one database to another?

    Tom> You could look at what pg_dumpall --globals-only does.

Tried that, doesn't seem to work (this is on a single system):

mdu=# alter user raju with encrypted password 'raju';
ALTER USER
mdu=# select passwd from pg_shadow where usename='raju';
               passwd
-------------------------------------
 md5ef70c430d5ed1ed52bd2ae960bb8ebe4
(1 row)

mdu=# create user xxx with password 'md5ef70c430d5ed1ed52bd2ae960bb8ebe4';
CREATE USER
mdu=# \q
[raju@mail raju]$ psql mdu xxx
Password: <enter 'raju' here>
psql: FATAL 1:  Password authentication failed for user "xxx"

    >> I have an application that creates data (and users) centrally
    >> and then distributes them to remote databases.  I can transfer
    >> everything else, but do not know how to transfer MD5 passwords.

    Tom> AFAIK you can just do it.  The CREATE or ALTER USER command
    Tom> should recognize the password as already encrypted and not
    Tom> munge it.  Are you sure you are using the correct pg_hba.conf
    Tom> setup on the destination system?

The entry is the same in both:

local     all                   md5

The application updating the passwords is running locally on both
systems.

Any clues?

Regards,

-- Raju
--
Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

Re: Move passwords between databases

From
Tom Lane
Date:
Raj Mathur <raju@linux-delhi.org> writes:
> mdu=# alter user raju with encrypted password 'raju';
> ALTER USER
> mdu=# select passwd from pg_shadow where usename='raju';
>                passwd
> -------------------------------------
>  md5ef70c430d5ed1ed52bd2ae960bb8ebe4
> (1 row)

> mdu=# create user xxx with password 'md5ef70c430d5ed1ed52bd2ae960bb8ebe4';
> CREATE USER

That's not going to work, because the user name is included into the
password encryption algorithm, so two different usernames with the same
cleartext password are going to have two different encrypted passwords.
(This is a feature, not a bug.)

You can transfer the same usernames with the same passwords from one
system to another using the method shown above.  You cannot assign one
user's password to another username this way.

            regards, tom lane

Re: Move passwords between databases

From
Raj Mathur
Date:
>>>>> "Tom" == Tom Lane <tgl@sss.pgh.pa.us> writes:

    Tom> Raj Mathur <raju@linux-delhi.org> writes:
    >> mdu=# alter user raju with encrypted password 'raju'; ALTER
    >> USER mdu=# select passwd from pg_shadow where usename='raju';
    >> passwd
    >> -------------------------------------
    >> md5ef70c430d5ed1ed52bd2ae960bb8ebe4 (1 row)

    >> mdu=# create user xxx with password
    >> 'md5ef70c430d5ed1ed52bd2ae960bb8ebe4'; CREATE USER

    Tom> That's not going to work, because the user name is included
    Tom> into the password encryption algorithm, so two different
    Tom> usernames with the same cleartext password are going to have
    Tom> two different encrypted passwords.  (This is a feature, not a
    Tom> bug.)

Oooh, that's what I was missing then.

    Tom> You can transfer the same usernames with the same passwords
    Tom> from one system to another using the method shown above.  You
    Tom> cannot assign one user's password to another username this
    Tom> way.

Great, it works now.

Thanks!  Both PostgreSQL and you guys rock!

Regards,

-- Raju
--
Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves