473,395 Members | 1,978 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > postgresql database > questions > authentication question

Join Bytes to post your question to a community of 473,395 software developers and data experts.

Authentication Question

I am trying to decide between using 1 account for web DB access, and doing
the auth myself, or using the database's built in auth. It's more steps to
use the database's, but its also more secure.

1st problem with using the DB's auth: We want usernames to be email
addresses, but it chokes on the @ sign:
# create user jh@paytimepayroll.com with password 'cow';
ERROR: syntax error at or near "@" at character 16

I can't figure out how to escape the @ sign.

2nd problem with using the DB's auth:
I need to grant all permissions on all objects in a database to the new
user. I have get to figure out how this is done easily. I had to do it
table-by-table!

Now if I don't use the built in auth, I have to do permission checks myself.
But the bigger problem is I don't want to store plain text passwords in MY
users table, so I was going to use md5. But then I checked, and the
pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my
password. But when I ask for a md5 hash of my password, I don't get the same
number.
ex:
user | passwd
-------------------------------------------
jh | md5a8249f07eb642f6e9f4692db0519b4f7

#select md5('mypassword');
md5
----------------------------------
a78a900156649857f407cf67b1cd12cd

If the experts could weigh in, I'd appreciate it!

Jason Hihn
Paytime Payroll

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 12 '05 #1
4 1524
On Tue, Dec 16, 2003 at 10:54:47 -0500,
Jason Hihn <jh***@paytimepayroll.com> wrote:
I am trying to decide between using 1 account for web DB access, and doing
the auth myself, or using the database's built in auth. It's more steps to
use the database's, but its also more secure.

1st problem with using the DB's auth: We want usernames to be email
addresses, but it chokes on the @ sign:
# create user jh@paytimepayroll.com with password 'cow';
ERROR: syntax error at or near "@" at character 16

I can't figure out how to escape the @ sign.
I believe double quotes are the correct way to allow for special charcters
in the user name.

2nd problem with using the DB's auth:
I need to grant all permissions on all objects in a database to the new
user. I have get to figure out how this is done easily. I had to do it
table-by-table!
The best way to do this is to give a group access to all of the objects and
then just add or remove users from that group as needed.
Now if I don't use the built in auth, I have to do permission checks myself.
But the bigger problem is I don't want to store plain text passwords in MY
users table, so I was going to use md5. But then I checked, and the
pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my
password. But when I ask for a md5 hash of my password, I don't get the same
number.
I don't know for sure, but I would expect that something is being used as
a salt. This is normal as it makes using prebuilt dictionaries more
difficult and prevents you from being able to tell if two accounts
have the same password just by looking at the hash.
ex:
user | passwd
-------------------------------------------
jh | md5a8249f07eb642f6e9f4692db0519b4f7

#select md5('mypassword');
md5
----------------------------------
a78a900156649857f407cf67b1cd12cd

If the experts could weigh in, I'd appreciate it!


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Nov 12 '05 #2
Jason Hihn wrote:
1st problem with using the DB's auth: We want usernames to be email
addresses, but it chokes on the @ sign:
# create user jh@paytimepayroll.com with password 'cow';
ERROR: syntax error at or near "@" at character 16
create user "jh@paytimepayroll.com" ...;
2nd problem with using the DB's auth:
I need to grant all permissions on all objects in a database to the
new user. I have get to figure out how this is done easily. I had to
do it table-by-table!


Use groups.
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Nov 12 '05 #3
On Tue, Dec 16, 2003 at 10:57:06AM -0600, Bruno Wolff III wrote:
On Tue, Dec 16, 2003 at 10:54:47 -0500,
Jason Hihn <jh***@paytimepayroll.com> wrote:
Now if I don't use the built in auth, I have to do permission checks myself.
But the bigger problem is I don't want to store plain text passwords in MY
users table, so I was going to use md5. But then I checked, and the
pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my
password. But when I ask for a md5 hash of my password, I don't get the same
number.


I don't know for sure, but I would expect that something is being used as
a salt. This is normal as it makes using prebuilt dictionaries more
difficult and prevents you from being able to tell if two accounts
have the same password just by looking at the hash.


The user name is the salt:

mydb=# create user johndoe with password 'opensesame';
CREATE USER
mydb=# select passwd from pg_shadow where usename = 'johndoe';
passwd
-------------------------------------
md5a7350a3bb54a151a858758c7266c57bd
(1 row)

mydb=# select md5('opensesame' || 'johndoe');
md5
----------------------------------
a7350a3bb54a151a858758c7266c57bd
(1 row)

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postgresql.org so that your
message can get through to the mailing list cleanly

Nov 12 '05 #4
Ah, wonderful! Now I can convert existing Postgres users to my own table and
keep their passwords, if I choose to go that way. I'm reading up on groups
now... Done (not much to read!)

Thanks for the help!
-----Original Message-----
From: Michael Fuhr [mailto:mf*****************@fuhr.org]
Sent: Tuesday, December 16, 2003 12:09 PM
To: Jason Hihn; Pgsql-general
Subject: Re: [GENERAL] Authentication Question
On Tue, Dec 16, 2003 at 10:57:06AM -0600, Bruno Wolff III wrote:
On Tue, Dec 16, 2003 at 10:54:47 -0500,
Jason Hihn <jh***@paytimepayroll.com> wrote:
Now if I don't use the built in auth, I have to do permission checks myself. But the bigger problem is I don't want to store plain text passwords in MY users table, so I was going to use md5. But then I checked, and the
pg_shadow entry has 'md5' prepended to what I assume is the md5 hash of my password. But when I ask for a md5 hash of my password, I don't get the same number.


I don't know for sure, but I would expect that something is

being used as
a salt. This is normal as it makes using prebuilt dictionaries more
difficult and prevents you from being able to tell if two accounts
have the same password just by looking at the hash.


The user name is the salt:

mydb=# create user johndoe with password 'opensesame';
CREATE USER
mydb=# select passwd from pg_shadow where usename = 'johndoe';
passwd
-------------------------------------
md5a7350a3bb54a151a858758c7266c57bd
(1 row)

mydb=# select md5('opensesame' || 'johndoe');
md5
----------------------------------
a7350a3bb54a151a858758c7266c57bd
(1 row)

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 12 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
Windows authentication
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no...
ASP / Active Server Pages
6
Secure and Unsecure Web Directories using Forms Authentication
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
.NET Framework
1
Multiple sessions and forms-based authentication
by: Rob | last post by:
I have an ASP.NET application that uses forms-based authentication. A user wishes to be able to run multiple sessions of this application simultaneously from the user's client machine. The...
ASP.NET
4
Intranet and Integrated Windows Authentication
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok....
ASP.NET
0
IIS 6/ASP.NET Website Forms Authentication and Access Control Question
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site...
ASP.NET
18
Forms authentication and session expiration
by: Rippo | last post by:
Hi I am using role base forms authentication in asp.net and have come across a problem that I would like advice on. On a successful login a session variable is set to identify a user. This is...
ASP.NET
6
Authentication
by: Ming Zhang | last post by:
Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate...
ASP.NET
2
z/OS to AIX connection - authentication/authorization
by: jimcleve | last post by:
Have an authentication/authorizaiton question. Our usual means to provide SYSADM authority for incoming connections to DB2 v8.2 on AIX has been to use SERVER authentication and set the...
DB2 Database
18
Sun Java System Directory Server Authentication
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
C# / C Sharp
4
Forms authentication vs session variable
by: Bjorn Sagbakken | last post by:
In a web-application with login creds (user, pwd), these are checked against a user table on a SQL server. On a positive validation I have saved the userID, name, custno and role-settings in a...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!