使用 md5 加密密码而不是明文密码登录 PostgreSQL
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24910513/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Login to PostgreSQL using md5 encrypted password and not plaintext password
提问by user3610957
I have created an user using md5 encrypted password as follows:
我使用 md5 加密密码创建了一个用户,如下所示:
create user testuser with encrypted password 'md54ca03099a7cd3945e0260801ff5972a3';
The encrypted password is combination of md5+password+username
加密后的密码是md5+密码+用户名的组合
password=test
username=testuser
Added entry for testuser in pg_hba.conf file with md5 method
使用 md5 方法在 pg_hba.conf 文件中为 testuser 添加了条目
Now I am trying to login using above created user as follows:
现在我尝试使用上面创建的用户登录,如下所示:
psql -d dbexpress -U testuser
It prompts for password. I have provided above encrypted password so it is giving me error as:
它提示输入密码。我提供了上面的加密密码,所以它给我的错误是:
psql: FATAL: password authentication failed for user "testuser"
But I am able to login to postgresql using plaintest password "test".
但是我可以使用普通密码“test”登录到 postgresql。
回答by Erwin Brandstetter
The authentication method md5is unrelatedto the encryption of passwords in the system catalog (the keyword ENCRYPTEDin CREATE ROLE):
的认证方法md5是无关系统中的目录(关键字密码的加密ENCRYPTED中CREATE ROLE):
Per documentation on the authentication method:
The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.
基于密码的身份验证方法是 md5 和密码。除了通过连接发送密码的方式(分别是 MD5 散列和明文)之外,这些方法的操作类似。
Per documentation on the ENCRYPTEDkeywordin CREATE ROLE:
每个关于ENCRYPTED关键字in 的文档CREATE ROLE:
ENCRYPTEDUNENCRYPTEDThese key words control whether the password is stored encrypted in the system catalogs. (If neither is specified, the default behavior is determined by the configuration parameter password_encryption.) If the presented password string is already in MD5-encrypted format, then it is stored encrypted as-is, regardless of whether
ENCRYPTEDorUNENCRYPTEDis specified (since the system cannot decrypt the specified encrypted password string). This allows reloading of encrypted passwords during dump/restore.
ENCRYPTEDUNENCRYPTED这些关键字控制密码是否加密存储在系统目录中。(如果两者均未指定,则默认行为由配置参数 password_encryption 确定。)如果所提供的密码字符串已采用 MD5 加密格式,则无论是否指定
ENCRYPTED或UNENCRYPTED都将按原样加密存储(因为系统无法解密指定的加密密码字符串)。这允许在转储/恢复期间重新加载加密密码。
Both use md5 encryption, but the first is concerned with transportand the second with storage. You are still expected to provide the unencryptedpasswordfor your login, even when using the authentication method md5(setting in pg_hba.conf). The user name is used as saltfor md5 encryption on client and server.
两者都使用 md5 加密,但第一个与传输有关,第二个与存储有关。即使使用身份验证方法(在 中设置),您仍然需要为您的登录提供未加密的密码。用户名用作客户端和服务器上的 md5 加密的盐。md5pg_hba.conf
First matching entry in pg_hba.conf
第一个匹配条目pg_hba.conf
About your remark:
关于您的评论:
Added entry for testuser in pg_hba.conf file with md5 method.
使用 md5 方法在 pg_hba.conf 文件中为 testuser 添加了条目。
Don't just "add" an entry. The firstmatching line in pg_hba.confis applied!
不要只是“添加”一个条目。应用了第一个匹配的行pg_hba.conf!
Per documentaion on pg_hba.conf:
每个文档pg_hba.conf:
The first recordwith a matching connection type, client address, requested database, and user name is used to perform authentication.
具有匹配连接类型、客户端地址、请求的数据库和用户名的第一条记录用于执行身份验证。
Bold emphasis mine in all quotes.
在所有引文中大胆强调我的。
