Re: MD5 passwords explained (was Re: md5 hash question (2))
| От | Çağıl Şeker |
|---|---|
| Тема | Re: MD5 passwords explained (was Re: md5 hash question (2)) |
| Дата | |
| Msg-id | 94327A2FE8C87C4C89A82DBE9E7B2B3F08688D@beetle.biznet.com.tr обсуждение исходный текст |
| Ответ на | MD5 passwords explained (was Re: md5 hash question (2)) ("Magnus Naeslund(f)" <mag@fbab.net>) |
| Список | pgsql-general |
> -----Original Message----- > From: Magnus Naeslund(f) [mailto:mag@fbab.net] > > There seems to be some confusion regarding the md5 > authentication method > used in postgresql, and i thought it might be good if i typed this > message so that it can be referred to if anyone asks these questions > again. > > Someone will surely correct me if i'm wrong :) > > The password in the database is stored like this: > > md5passwd = "md5"+md5(cleartxtpasswd+user); --- Here something must be wrong --- I've created a user 't' with thw passwd 't'. The md5 shadow is: "md5accc9105df5383111407fd5b41255e23" Then: echo "tt" | md5sum "821ccb7eb5157bb2ab3727dc2845d62b" echo "t+t" | md5sum 6860f8721849d643fe95e0b65a423341 which is different. > > When connecting and authenticating this happens: > > The server generates a random salt (nonce) and sends it to > the client. > > md5salt = 4 random chars > > The client then does this: > > md5hash = md5(md5(cleartxtpasswd+user)+md5salt) > > and sends it to the server. > > The server then does the same on it's side and compares the > result with > the hash gotten from the client. If they match the password > is correct. > > This is standard MAC / shared secret stuff. > > It's done do avoid sending clear text passwords (or even the > stored md5 > password, to prevent brute force cracking) over the wire. > > Regards > Magnus > >
В списке pgsql-general по дате отправления: