Re: MD5 Authentication

From: Arjen Nienhuis <a(dot)g(dot)nienhuis(at)gmail(dot)com>
To: Raimon Fernandez <coder(at)montx(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: MD5 Authentication
Date: 2009-11-06 11:24:27
Message-ID: 11ddbd200911060324v4ea36cb1w1857cf56309f4e02@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Nov 6, 2009 at 9:58 AM, Raimon Fernandez <coder(at)montx(dot)com> wrote:
>
> On 06/11/2009, at 8:48, Raimon Fernandez wrote:
>
>> I'm blocked .......
>>
>>
>> On 06/11/2009, at 6:27, John DeSoi wrote:
>>
>>>
>>> On Nov 5, 2009, at 12:35 PM, Raimon Fernandez wrote:
>>>
>>>> at least, my first md5 (psw+user) is the same as the pg_shadow (wihtout
>>>> the 'md5') ...
>>>>
>>>> should I md5 the first md5 as I get it as string (like username) or byte
>>>> by byte ?
>>>
>>> As far as I know, a string. But it is unclear to me what happens when the
>>> user or database name has non-ascii characters. The client encoding is not
>>> established until after authentication.
>>>
>>> I asked about that a while ago but did not get any responses.
>>
>> After reading all the emails about it, I'm blocked, maybe someone can see
>> where the error is and shade some light on it ...
>>
>> user: postgres (test values)
>> psw:postgres (test values)
>>
>> first md5("postgrepostgres") ==> 44965A835F81EC252D83961D2CC9F3E1
>>
>> salt: A6B76060
>>
>>
>> second md5("44965A835F81EC252D83961D2CC9F3E1"+"A6B76060") ==>
>>  34F74BEF877202D4399092F97EFE8712
>>
>>
>> send to server:  header + length +
>> "md5"+"34F74BEF877202D4399092F97EFE8712" ==> Fatal error, password
>> Authentication failed for user postgres ...
>
> I've created a tcpdump with all information:
>
> server =>
>
> 52 (R)
> 00 00 00 0C (12 length)
> 00 00 00 05 (5 => md5)
> C8 C3 57 17 (token)
>
>
>
> psql sends =>
>
> 70 00 00 00 28 6D 64 35 33 38 38 35 30 37 37 39 31 39 64 38 30 63 39 35 62
> 33 32 34 65 39 63 36 38 65 39 64 37 66 64 63 00 => binary
> p   (md53885077919d80c95b324e9c68e9d7fdc  => string
>
>
> user: postgres
> psw: postgre
>
> I can't create an identical HASH with those values, because:
>
> the first md5 is easy:  44965a835f81ec252d83961d2cc9f3e1c8c35717
>
> Now we have to MD5 this one with the token:
>
> 1. 44965a835f81ec252d83961d2cc9f3e1c8c35717C8C35717 (uppercase and
> lowercase)
> 2. 44965a835f81ec252d83961d2cc9f3e1c8c35717c8c35717 (lowercase)
> 3. 44965a835f81ec252d83961d2cc9f3e1c8c35717 + &HC8 + &HC3 + &H57 + &H17
> 4. ??????????
>
> wich one is the correct ?
>

md5("44965a835f81ec252d83961d2cc9f3e1" + &HC8 + &HC3 + &H57 + &H17)

in python:

>>> hashlib.md5('44965a835f81ec252d83961d2cc9f3e1' + '\xc8\xc3\x57\x17').hexdigest()
'3885077919d80c95b324e9c68e9d7fdc'

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Andre Lopes 2009-11-06 12:03:49 How to import data from Oracle and SqlServer to a Postgres database?
Previous Message Sam Mason 2009-11-06 11:14:33 Re: Three fields table: id-data-date_time, how to get max() and date_time same time?