Re: MD5 Authentication

On 06/11/2009, at 8:48, Raimon Fernandez wrote:

> I'm blocked .......
>
>
> On 06/11/2009, at 6:27, John DeSoi wrote:
>
>>
>> On Nov 5, 2009, at 12:35 PM, Raimon Fernandez wrote:
>>
>>> at least, my first md5 (psw+user) is the same as the pg_shadow
>>> (wihtout the 'md5') ...
>>>
>>> should I md5 the first md5 as I get it as string (like username)
>>> or byte by byte ?
>>
>> As far as I know, a string. But it is unclear to me what happens
>> when the user or database name has non-ascii characters. The client
>> encoding is not established until after authentication.
>>
>> I asked about that a while ago but did not get any responses.
>
> After reading all the emails about it, I'm blocked, maybe someone
> can see where the error is and shade some light on it ...
>
> user: postgres (test values)
> psw:postgres (test values)
>
> first md5("postgrepostgres") ==> 44965A835F81EC252D83961D2CC9F3E1
>
> salt: A6B76060
>
>
> second md5("44965A835F81EC252D83961D2CC9F3E1"+"A6B76060") ==>
> 34F74BEF877202D4399092F97EFE8712
>
>
> send to server: header + length +
> "md5"+"34F74BEF877202D4399092F97EFE8712" ==> Fatal error, password
> Authentication failed for user postgres ...

I've created a tcpdump with all information:

server =>

52 (R)
00 00 00 0C (12 length)
00 00 00 05 (5 => md5)
C8 C3 57 17 (token)

psql sends =>

70 00 00 00 28 6D 64 35 33 38 38 35 30 37 37 39 31 39 64 38 30 63 39
35 62 33 32 34 65 39 63 36 38 65 39 64 37 66 64 63 00 => binary

user: postgres
psw: postgre

I can't create an identical HASH with those values, because:

the first md5 is easy: 44965a835f81ec252d83961d2cc9f3e1c8c35717

Now we have to MD5 this one with the token:

1. 44965a835f81ec252d83961d2cc9f3e1c8c35717C8C35717 (uppercase and
lowercase)
2. 44965a835f81ec252d83961d2cc9f3e1c8c35717c8c35717 (lowercase)
3. 44965a835f81ec252d83961d2cc9f3e1c8c35717 + &HC8 + &HC3 + &H57 + &H17
4. ??????????

wich one is the correct ?

thanks,

regards,

raimon