Re: Database users Passwords

From: Shane Ambler <pgsql(at)007Marketing(dot)com>
To: Jeff Davis <pgsql(at)j-davis(dot)com>
Cc: DEV <dev(at)umpa-us(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Database users Passwords
Date: 2006-10-17 18:09:02
Message-ID: 45351C3E.7030200@007Marketing.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-docs pgsql-general

Jeff Davis wrote:
> On Tue, 2006-10-17 at 10:41 -0400, DEV wrote:
>> Hello all,
>>
>> I have user information in a table that I want to use to add
>> users to the user roles tables that are part of postgresql. My
>> question is this: the passwords in my user table are in there as a
>> text file with the data being encrypted using the crypt function, is
>> there a way I can use this crypt password when I do a “CREATE ROLE
>> userid LOGIN PASSWORD 'crypt password' NOSUPERUSER INHERIT NOCREATEDB
>> NOCREATEROLE†I know that in the current CREATE ROLE I have listed
>> will take a clear text password and encrypt it for me. What do I need
>> to change to use an encrypted password?
>>
>
> If user is foo and password is bar, do:
>
> =# select md5('barfoo');
> LOG: duration: 0.140 ms statement: select md5('barfoo');
> md5
> ----------------------------------
> 96948aad3fcae80c08a35c9b5958cd89
> (1 row)
>
> =# create role foo login password 'md596948aad3fcae80c08a35c9b5958cd89'
> nosuperuser inherit nocreatedb nocreaterole;
>
> This seems to be lacking in the docs. At least, the only place I found
> this information was a user comment in the 8.0 docs. Is this already in
> the 8.1 docs? Should we add a description of the way postgresql does the
> md5 hashes in the CREATE ROLE section?
>

That works the way you have done it - what you have done is calculate
the encrypted password the same way that postgres encrypts it (using
md5) instead of using ENCRYPTED within the create role.

The issue is that the 'crypted' version will not work if entered in
create role that way. The entered password at login will be md5ed which
won't match the crypt version stored.

What Dev would want to look for (probably create) is a small script that
will read his list of crypt passwords and un-crypt them into a create
role string that is fed to psql.

I am going on the assumption that the crypt function you refer to is the
system level crypt (also called enigma).

something along the lines of (just in pseudo code)

for each user {
$userid = SELECT userid FROM table;
$userPass = crypt < SELECT userCryptedPasswordText FROM table;

$psqlCommand = "CREATE ROLE $userid LOGIN ENCRYPTED PASSWORD $userPass
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE"

psql < $psqlCommand
}

Not sure if you can achieve this from an sql command - my guess is you
may get it if you setup a function in say pl/Perlu to do the
un-crypting. But that would mean using INSERT INTO pg_authid.... which
is not the recommended way (CREATE ROLE doesn't support sub-selects).
Creating a client that reads, un-crypts, then sends the CREATE ROLE
commands would be the best and simplest way.

--

Shane Ambler
Postgres(at)007Marketing(dot)com

Get Sheeky @ http://Sheeky.Biz

In response to

Responses

Browse pgsql-docs by date

  From Date Subject
Next Message Jorge Godoy 2006-10-17 19:00:05 Re: Database users Passwords
Previous Message Jeff Davis 2006-10-17 17:54:41 Re: Database users Passwords

Browse pgsql-general by date

  From Date Subject
Next Message Steve Poe 2006-10-17 18:35:15 Re: Fast backup/restore
Previous Message Vivek Khera 2006-10-17 17:58:34 Re: Fast backup/restore