Thread: libpq / crypt / md5 question

libpq / crypt / md5 question

From

Mitch Vincent

Date:

29 November 2002, 12:57:16

I have a mail server using a PostgreSQL database for virtual lookups 
and I'm using Courier IMAP with the pgsql hooks for mailbox access.. 
First, this setup is working beautifully, that's not the problem..

It seems that courier can only connect to the PG database when the auth 
type is set to crypt in the pg_hba.conf file. This is somewhat strange 
but brings me to my question..

On the client side, am I responsible for making the password an MD5 
hash, or does libpq take care of that on it's own? In courier's pgsql 
code I see :

pgconn = PQsetdbLogin(server, server_port, server_opt, NULL , 
database,userid,password);

..... Which is pretty straight-forward, but that password is always 
going to be passed to pqsetdblogin() as plain text.. So where does the 
MD5'ing or DES crypt'ing come into the connection? I've honestly never 
paid any attention to the auth type until now as I've *always* used 
just a local socket for access to PG, or the trust auth type (none of 
my servers were public and accessible by more than a controlled group 
of users until now)..

If I missed any of this in the documentation, please feel free to smack 
me with a RTFM stick. :-)

Thanks guys!

-Mitch

There are three kinds of people in this world. Those that can count and 
those that can't.

Re: libpq / crypt / md5 question

From

Tom Lane

Date:

29 November 2002, 13:43:05

Mitch Vincent <mitch@doot.org> writes:
> On the client side, am I responsible for making the password an MD5 
> hash, or does libpq take care of that on it's own?

libpq does it.  This is necessary, since the client shouldn't be
expected to know which way the password is to be encrypted on the wire.
The password given to libpq must always be cleartext.

> It seems that courier can only connect to the PG database when the auth 
> type is set to crypt in the pg_hba.conf file. This is somewhat strange

I suspect it means that courier is linked to an old version of libpq.
        regards, tom lane

Re: libpq / crypt / md5 question

From

Mitch Vincent

Date:

29 November 2002, 14:11:55

I'm not sure how it's linking to an old libpq as it's a fresh install 
with only one install of PG but I will investigate now that I have the 
answer below..

Thanks Tom! Fast and helpful as always! Do you ever take a day off? :-)

> Mitch Vincent <mitch@doot.org> writes:
>> On the client side, am I responsible for making the password an MD5
>> hash, or does libpq take care of that on it's own?
>
> libpq does it.  This is necessary, since the client shouldn't be
> expected to know which way the password is to be encrypted on the wire.
> The password given to libpq must always be cleartext.
>
>> It seems that courier can only connect to the PG database when the 
>> auth
>> type is set to crypt in the pg_hba.conf file. This is somewhat strange
>
> I suspect it means that courier is linked to an old version of libpq.
>
>             regards, tom lane
>
>

-Mitch

Freedom is the right to be wrong, not the right to do wrong.