Thread: [GENERAL] Client Authentication methods

[GENERAL] Client Authentication methods

From
chiru r
Date:
Hi All,

I am trying to understand the Authentication method in pg_hba.conf file (password & md5) in PostgreSQL database server. 

I am assuming that the user provides the  connection string host/usser/password,then client will go and contact the DB server pg_hba.conf file in memory without carrying password over the network initially, and then it confirms the authentication method from pg_hba.conf ,then it decides weather it send clear text or md5 encrypted password from client to Server to make a session?

Is my assumption is correct ? or What exactly it make the difference for client if i use md5/password  in pg_hba.conf file in DB server?.

Thanks,
chiru


Re: [GENERAL] Client Authentication methods

From
Berend Tober
Date:
chiru r wrote:
> Hi All,
>
> I am trying to understand the Authentication method in pg_hba.conf file (password & md5) in
> PostgreSQL database server.
>
> I am assuming that the user provides the  connection string host/usser/password,then client will go
> and contact the DB server pg_hba.conf file in memory without carrying password over the network
> initially, and then it confirms the authentication method from pg_hba.conf ,then it decides weather
> it send clear text or md5 encrypted password from client to Server to make a session?
>
> Is my assumption is correct ? or What exactly it make the difference for client if i use
> md5/password  in pg_hba.conf file in DB server?.
>


Your assumptions sound consistent with documentation appearing at


https://www.postgresql.org/docs/10/static/protocol-flow.html

https://www.postgresql.org/docs/10/static/auth-methods.html

-- B




-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] Client Authentication methods

From
"Peter J. Holzer"
Date:
On 2017-11-10 08:25:24 -0500, chiru r wrote:
> I am trying to understand the Authentication method in pg_hba.conf file
> (password & md5) in PostgreSQL database server. 
>
> I am assuming that the user provides the  connection string host/usser/
> password,then client will go and contact the DB server pg_hba.conf file in
> memory without carrying password over the network initially, and then it
> confirms the authentication method from pg_hba.conf ,then it decides weather it
> send clear text or md5 encrypted password from client to Server to make a
> session?

I'm not sure what "it" refers to in this sentence. If "it" refers to the
client (as grammatically it should) then the answer is no. The client
doesn't have access to the pg_hba.conf file.

The client connects to the server, sending the username and database
name, but not (yet) the password. Then the server checks the pg_hba.conf
file to determine which authentication method to use. The server then
sends an authentication request to the client, to which the client sends
a response (including, or based on, the password).


> Is my assumption is correct ? or What exactly it make the difference for client
> if i use md5/password  in pg_hba.conf file in DB server?.

See
https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-PASSWORD

With method password, passwords are sent in plain text. With md5, an md5
hash of the password, the username, and a nonce is sent instead.
       hp

--   _  | Peter J. Holzer    | we build much bigger, better disasters now
|_|_) |                    | because we have much more sophisticated
| |   | hjp@hjp.at         | management tools.
__/   | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>