On 2017-11-10 08:25:24 -0500, chiru r wrote: > I am trying to understand the Authentication method in pg_hba.conf file > (password & md5) in PostgreSQL database server. > > I am assuming that the user provides the connection string host/usser/ > password,then client will go and contact the DB server pg_hba.conf file in > memory without carrying password over the network initially, and then it > confirms the authentication method from pg_hba.conf ,then it decides weather it > send clear text or md5 encrypted password from client to Server to make a > session? I'm not sure what "it" refers to in this sentence. If "it" refers to the client (as grammatically it should) then the answer is no. The client doesn't have access to the pg_hba.conf file. The client connects to the server, sending the username and database name, but not (yet) the password. Then the server checks the pg_hba.conf file to determine which authentication method to use. The server then sends an authentication request to the client, to which the client sends a response (including, or based on, the password). > Is my assumption is correct ? or What exactly it make the difference for client > if i use md5/password in pg_hba.conf file in DB server?. See https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-PASSWORD With method password, passwords are sent in plain text. With md5, an md5 hash of the password, the username, and a nonce is sent instead. hp -- _ | Peter J. Holzer | we build much bigger, better disasters now |_|_) | | because we have much more sophisticated | | | hjp@xxxxxx | management tools. __/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>
Attachment:
signature.asc
Description: PGP signature
