0

in python I can connect a PostgreSQL database with the following code:

db = postgresql.open(“pq://$user:$pass@$host:$port/$dbname”)

But in the above line I have to enter the plaintext password and then py-postgresql will hash it to compare with the hash value stored in PostgreSQL database. If I want to use the password hashed by MD5 by myself, which means I don't want py-postgresql to do the hashing for me. How can I do it? I tried to modify the source code of py-postgresql, but I couldn't find where is the hashing happens. Then I find the in the settings of py-postgresql I can enable SSL-mode. Can someone give me a simple example about how to set it?

Kind regards.

Martin Samson
  • 3,970
  • 21
  • 25
user1067671
  • 231
  • 1
  • 5
  • 10
  • 1
    The hashing happens inside the server itself and that hash is compared to the stored hash. Therefore the password is not hashed until it has left your application and has reached the server. Which is logical really, as if you could just send the hash instead then that means it would accept the hash and therefore all the passwords are stored in plain text (in essence) as if they are downloaded they can be used to access the server. – Paul Collingwood Jan 02 '13 at 16:07
  • What are you trying to accomplish by storing only the hash in the code? If the hash was all you needed to authenticate, then it is a [plaintext equilavent](http://srp.stanford.edu/issues.html), and someone who can read it has just as much access to your database as someone who can read the password. – Phil Frost Jan 02 '13 at 17:57

1 Answers1

0

The way DB-API works is by supplying the plaintext password. Furthermore, py-postgresql does not do the password hashing/verification, the server does it as part of the connection handshake (see pg_hba.conf as to how/why it does it).

If you are looking at securing the transmission of the password, use the SSL connection protocol instead of the plaintext one. The SSL mode will also encrypt all data transmitted between the server and the client.

Martin Samson
  • 3,970
  • 21
  • 25