Re: md5 again

> direction    what
> ----------------------------------------------
> CL -> PG    username
> PG -> CL    random salt
> CL -> PG    plaintext passwd
> 
> 
> CL -> PG    username
> PG -> CL    user salt 
^^^^^^^^^^^^^^^^^^^^^^^^^
> PG -> CL    random salt
> CL -> PG    encrypted passwd
> 


MD5(MD5(username+user_salt)+random_salt)

Postmaster takes its pg_shadow MD5(username+user_salt) and does another
MD5 with the random salt and compares it with what was sent from the
client.

If the connection is defined as requiring crypt or password, only this
MD5 method can be used.  If trusted is defined, cleartext passwords can
be accepted.

Don't bother encrypting the username.  No security is gained.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026