Re: [pgadmin-hackers] Client-side password encryption
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Stephen Frost <sfrost@snowman.net>
Cc: Martijn van Oosterhout <kleptog@svana.org>, Greg Stark <gsstark@mit.edu>, Tom Lane <tgl@sss.pgh.pa.us>, Christopher Kings-Lynne <chriskl@familyhealth.com.au>, Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers@postgresql.org, Andreas Pflug <pgadmin@pse-consulting.de>, Dave Page <dpage@vale-housing.co.uk>
Date: 2005-12-23T16:16:31Z
Lists: pgsql-hackers
Stephen Frost wrote:
>Is it actually doing challenge-response where the challenge is different
>each time?
>
The docs say:
AuthenticationMD5Password
The frontend must now send a PasswordMessage containing the password
encrypted via MD5, using the 4-character salt specified in the
AuthenticationMD5Password message. If this is the correct password,
the server responds with an AuthenticationOk, otherwise it responds
with an ErrorResponse.
A little investigation reveals that this is port->md5salt which is 4
random bytes set up fresh per connection (see src/backend/libpq/auth.c
and src/backend/postmaster/postmaster.c). So it seems indeed to be a
true (small) one time challenge token, unless I've missed something.
cheers
andrew