Re: [pgadmin-hackers] Client-side password encryption

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Stephen Frost <sfrost@snowman.net>
Cc: Martijn van Oosterhout <kleptog@svana.org>, Greg Stark <gsstark@mit.edu>, Tom Lane <tgl@sss.pgh.pa.us>, Christopher Kings-Lynne <chriskl@familyhealth.com.au>, Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers@postgresql.org, Andreas Pflug <pgadmin@pse-consulting.de>, Dave Page <dpage@vale-housing.co.uk>
Date: 2005-12-23T16:16:31Z
Lists: pgsql-hackers

Stephen Frost wrote:

>Is it actually doing challenge-response where the challenge is different
>each time?  
>


The docs say:

AuthenticationMD5Password

    The frontend must now send a PasswordMessage containing the password
    encrypted via MD5, using the 4-character salt specified in the
    AuthenticationMD5Password message. If this is the correct password,
    the server responds with an AuthenticationOk, otherwise it responds
    with an ErrorResponse.



A little investigation reveals that this is port->md5salt which is 4 
random bytes set up fresh per connection (see src/backend/libpq/auth.c 
and src/backend/postmaster/postmaster.c). So it seems indeed to be a 
true (small) one time challenge token, unless I've missed something.

cheers

andrew