Thread: pg_hba.conf - md5

pg_hba.conf - md5

From
Vince
Date:
I want to access by postgre db over the internet.  My pg_hba.conf if
setup to do this:
host    all         all         0.0.0.0/0    md5

Now, what I don't understand is how does the "md5" effect things?

If I connect via php:
$db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
password=mypass');

"mypass" being whatever my password is; is still set in plain text?
Why don't I have to send the md5 version of the password to connect?

Thanks,
Vince.

Re: pg_hba.conf - md5

From
Michael Fuhr
Date:
On Sat, Jun 09, 2007 at 02:43:06AM -0700, Vince wrote:
> I want to access by postgre db over the internet.  My pg_hba.conf if
> setup to do this:
> host    all         all         0.0.0.0/0    md5
>
> Now, what I don't understand is how does the "md5" effect things?

It causes the password exchange between the client and the server
to hash the user's password with a salt (random value) that the
server sends.  This prevents the password from being passed in the
clear and it aims to prevent replay attacks, where an attacker who
had sniffed a previous session could respond to the server's challenge
without knowing the password by resending the same response it had
seen before (such an attack would still work in the unlikely -- but
possible -- event that the attacker had sniffed a previous session
that used the same salt).

MD5 authentication works like this:

Client: username, databasename
Server: MD5 authentication, salt
Client: MD5(MD5(password || username) || salt)

The server performs the same calculation (the user's password is
typically already stored in the system catalogs as MD5(password ||
username).  If the results match then authentication succeeds.

> If I connect via php:
> $db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
> password=mypass');
>
> "mypass" being whatever my password is; is still set in plain text?

No.

> Why don't I have to send the md5 version of the password to connect?

Because libpq (or whatever underlying library you're using) does
that for you.

If you want to allow connections over an open network then consider
using SSL and allowing only hostssl connections from everywhere
except trusted networks.

http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html

The server could optionally require the client to present a certificate
signed by a specific CA and the client could require the same of the
server; see the discussion of root.crt for more information.

--
Michael Fuhr

Re: pg_hba.conf - md5

From
"Joshua D. Drake"
Date:
Vince wrote:
> I want to access by postgre db over the internet.  My pg_hba.conf if
> setup to do this:
> host    all         all         0.0.0.0/0    md5
>
> Now, what I don't understand is how does the "md5" effect things?
>
> If I connect via php:
> $db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
> password=mypass');
>
> "mypass" being whatever my password is; is still set in plain text?

No the resultant md5 hash is.

> Why don't I have to send the md5 version of the password to connect?
>

THe driver does it.

Joshua D. Drake


> Thanks,
> Vince.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>               http://www.postgresql.org/docs/faq
>


--

       === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
              http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/