Menu

#11 md5_postgres does not include 'md5' prefix on hash

0.5.2-1
closed
William Grzybowski
None
5
2014-10-02
2011-11-10
Brian Almeida
No

The md5_postgres method does not match the way postgres does it - there is a missing 'md5' from the hash:

Example:

template1=# alter user bma with encrypted password 'foobar';
ALTER ROLE
template1=# select passwd from pg_shadow where usename = 'bma';
passwd

md540056e0a5328aab9feb305ff9ffd390f
(1 row)

By adding some debug statements to src/backend_pgsql.c, we get the following:

Nov 9 21:41:30 labkey-test PAM_pgsql[29443]: encrypted foobarbma to 40056e0a5328aab9feb305ff9ffd390f
Nov 9 21:41:30 labkey-test PAM_pgsql[29443]: stored_pw = md540056e0a5328aab9feb305ff9ffd390f, tmp = 40056e0a5328aab9feb305ff9ffd390f

md5_postgres will always fail to authenticate the user without the md5 prefix, unless the user does a custom query to strip the 'md5' prefix coming out of the database.

Discussion

  • Jan Dittberner

    Jan Dittberner - 2014-09-27

    add Debian patch for this issue

     
    pwtype_md5_postgres_fix_757556.patch

  • Jan Dittberner

    Jan Dittberner - 2014-09-27

    Ticket moved from /p/pam-pgsql/bugs/12/

     

  • William Grzybowski

    William Grzybowski - 2014-10-02
    • status: open --> accepted
    • assigned_to: William Grzybowski
    • Group: --> 0.5.2-1
     

  • William Grzybowski

    William Grzybowski - 2014-10-02
    • status: accepted --> closed
     

Log in to post a comment.