Thread: Programming interfaces when using MD5 authentication
Hi,
I apologise in advance if this is considered the wrong list to post
onto. I couldn't find specific details for joining a DBD::Pg style
mailing list so I'm hoping this is something that's relatively well
known about by general PostgreSQL developers anyway.
Using Perl to program interfaces to PostgreSQL, and had previously
misunderstood how md5 password authentication worked, so I'm now re-
doing it, but struggling to find out how DBD::Pg might be used to
actually authenticate by passing an md5 of the password instead of the
real thing.
I understand from various reading that the md5 should be a double-
process consisting of:
phase1 = md5(password <concat> username)
password_to_use = md5(phase1 <concat> salt)
What I don't understand is how to "extract" the salt required to
complete the second phase.
Effectively what I'm hoping for is to be able to do something along
the lines of:
---------------------------------------------------------------
#!/usr/local/bin/perl -w
use strict;
use DBI;
use Digest::MD5 qw(md5_hex);
use DBD::Pg;
my $user = "currentuser";
my $pass = md5_hex("supersecretpassword" . $user);
my $dbh = DBI->connect("dbi:Pg:dbname=monitoring","$user",$pass,
{ PrintError => 1 });
if (defined($dbh)) {
$dbh->disconnect();
print "Successful\n";
} else {
print "Failed!!\n";
}
---------------------------------------------------------------
In the above, if I prepend "md5" to the $pass variable I obviously get
what exactly matches the content of the pg_shadow table entry for the
given user ... however, either way the connection isn't successful
because (from what I've been able to discern) I actually need to submit:
md5 <concat> md5($pass <concat> salt)
Can DBD::Pg be used for these connections? If anyone has experience in
this I'd much appreciate your thoughts or suggestions. (I realise the
"connect" function is from DBI, but it seems to me that the use of the
salt required to properly authenticate will be specific somehow to
DBD::Pg usage.)
Cheers,
Preston.
--
Preston de Guise
http://www.enterprisesystemsbackup.com
Hi,
I can only answer for the database part. This is on postgres 8.3.8.
The passwords can be checked against the table pg_shadow using this algorithm:
'md5'||md5(<password>||<username>)
HTH,
WBL
On Fri, Oct 2, 2009 at 1:48 AM, Preston de Guise <preston@anywebdb.com> wrote:
> Hi,
>
> I apologise in advance if this is considered the wrong list to post onto. I
> couldn't find specific details for joining a DBD::Pg style mailing list so
> I'm hoping this is something that's relatively well known about by general
> PostgreSQL developers anyway.
>
> Using Perl to program interfaces to PostgreSQL, and had previously
> misunderstood how md5 password authentication worked, so I'm now re-doing
> it, but struggling to find out how DBD::Pg might be used to actually
> authenticate by passing an md5 of the password instead of the real thing.
>
> I understand from various reading that the md5 should be a double-process
> consisting of:
>
> phase1 = md5(password <concat> username)
> password_to_use = md5(phase1 <concat> salt)
>
> What I don't understand is how to "extract" the salt required to complete
> the second phase.
>
> Effectively what I'm hoping for is to be able to do something along the
> lines of:
>
> ---------------------------------------------------------------
> #!/usr/local/bin/perl -w
>
> use strict;
> use DBI;
> use Digest::MD5 qw(md5_hex);
> use DBD::Pg;
>
> my $user = "currentuser";
> my $pass = md5_hex("supersecretpassword" . $user);
>
> my $dbh = DBI->connect("dbi:Pg:dbname=monitoring","$user",$pass, {
> PrintError => 1 });
> if (defined($dbh)) {
> $dbh->disconnect();
> print "Successful\n";
> } else {
> print "Failed!!\n";
> }
> ---------------------------------------------------------------
>
> In the above, if I prepend "md5" to the $pass variable I obviously get what
> exactly matches the content of the pg_shadow table entry for the given user
> ... however, either way the connection isn't successful because (from what
> I've been able to discern) I actually need to submit:
>
> md5 <concat> md5($pass <concat> salt)
>
> Can DBD::Pg be used for these connections? If anyone has experience in this
> I'd much appreciate your thoughts or suggestions. (I realise the "connect"
> function is from DBI, but it seems to me that the use of the salt required
> to properly authenticate will be specific somehow to DBD::Pg usage.)
>
> Cheers,
>
> Preston.
>
> --
> Preston de Guise
> http://www.enterprisesystemsbackup.com
>
>
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>
--
"Patriotism is the conviction that your country is superior to all
others because you were born in it." -- George Bernard Shaw
Preston de Guise <preston@anywebdb.com> writes:
> Using Perl to program interfaces to PostgreSQL, and had previously
> misunderstood how md5 password authentication worked, so I'm now re-
> doing it, but struggling to find out how DBD::Pg might be used to
> actually authenticate by passing an md5 of the password instead of the
> real thing.
You should always pass the cleartext password. Any md5-ification will
be done by the low-level driver.
regards, tom lane
On 02/10/2009, at 23:47 , Tom Lane wrote: > Preston de Guise <preston@anywebdb.com> writes: >> Using Perl to program interfaces to PostgreSQL, and had previously >> misunderstood how md5 password authentication worked, so I'm now re- >> doing it, but struggling to find out how DBD::Pg might be used to >> actually authenticate by passing an md5 of the password instead of >> the >> real thing. > > You should always pass the cleartext password. Any md5-ification will > be done by the low-level driver. Thanks for the clarification Tom. Cheers, Preston.