Re: Authentication Question

Ah, wonderful! Now I can convert existing Postgres users to my own table and
keep their passwords, if I choose to go that way. I'm reading up on groups
now... Done (not much to read!)

Thanks for the help!

> -----Original Message-----
> From: Michael Fuhr [mailto:mfuhr+pgsql-general(at)fuhr(dot)org]
> Sent: Tuesday, December 16, 2003 12:09 PM
> To: Jason Hihn; Pgsql-general
> Subject: Re: [GENERAL] Authentication Question
>
>
> On Tue, Dec 16, 2003 at 10:57:06AM -0600, Bruno Wolff III wrote:
> > On Tue, Dec 16, 2003 at 10:54:47 -0500,
> > Jason Hihn <jhihn(at)paytimepayroll(dot)com> wrote:
> >
> > > Now if I don't use the built in auth, I have to do permission
> checks myself.
> > > But the bigger problem is I don't want to store plain text
> passwords in MY
> > > users table, so I was going to use md5. But then I checked, and the
> > > pg_shadow entry has 'md5' prepended to what I assume is the
> md5 hash of my
> > > password. But when I ask for a md5 hash of my password, I
> don't get the same
> > > number.
> >
> > I don't know for sure, but I would expect that something is
> being used as
> > a salt. This is normal as it makes using prebuilt dictionaries more
> > difficult and prevents you from being able to tell if two accounts
> > have the same password just by looking at the hash.
>
> The user name is the salt:
>
> mydb=# create user johndoe with password 'opensesame';
> CREATE USER
> mydb=# select passwd from pg_shadow where usename = 'johndoe';
> passwd
> -------------------------------------
> md5a7350a3bb54a151a858758c7266c57bd
> (1 row)
>
> mydb=# select md5('opensesame' || 'johndoe');
> md5
> ----------------------------------
> a7350a3bb54a151a858758c7266c57bd
> (1 row)
>
> --
> Michael Fuhr
> http://www.fuhr.org/~mfuhr/
>