1

I am trying to configure Postgres to receive connections with md5 encrypted passwords. I read plenty of manuals and followed the instructions and yet I am unsuccessful.

We have several docker containers, one of them is a Postgres 9 container that we are configuring using the init_db.sh script. The final configuration on a running container is:

listen_addresses = '*'
local all all md5
host all all all md5

Running: lsof -i tcp:5432 (I'm running on my Mac for now), produced this:

COMMAND     PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
com.docke 17454 sigals   36u  IPv4 0x13ec351b99f025cd      0t0  TCP *:postgresql (LISTEN)
com.docke 17454 sigals   37u  IPv6 0x13ec351b8ce8a025      0t0  TCP localhost:postgresql (LISTEN)

When I start the container running with the encrypted password, I get: ERROR org.apache.tomcat.jdbc.pool.ConnectionPool:182 - Unable to create initial connections of pool.

2017-02-08T14:07:43.438478547Z org.postgresql.util.PSQLException: FATAL: password authentication failed for user "myuser"

When I put the password as plaintext it works.

When I configured the IP to localhost only, both encrypted and plaintext passwords worked.

What did I configure wrong?

Sigal Shaharabani
  • 450
  • 5
  • 18
  • what do you mean by "When I put the password as plaintext it works."?.. Where you put passwords? – Vao Tsun Feb 08 '17 at 14:59
  • It's a sprint-boot application working with Hibernate the password is in application.properties in a property called: spring.datasource.password – Sigal Shaharabani Feb 08 '17 at 15:03
  • then you probably confuse `md5` you have in `hba.conf` with md5 hash you pass to db for authentication?.. – Vao Tsun Feb 08 '17 at 15:06
  • @VaoTsun What do you mean? – Sigal Shaharabani Feb 08 '17 at 15:07
  • when you have md5 in hba.conf, it does not mean you should use md5 instead of your password. Sorry - I have no experience with Hibernate. Just that sentence "When I put the password as plaintext it works." gave me idea, you try to pass authentication using hash of password – Vao Tsun Feb 08 '17 at 15:09
  • I'm confused, what does it mean then? – Sigal Shaharabani Feb 08 '17 at 15:16
  • it means that client (NOT USER) "...supplies a double-MD5-hashed password". So I believe when you put md5 to your config, pg connection hashes it once again. If you are afraid of sniffing just use md5 in hba, if you want to pg client to send clear text over network, use `password` instead of md5 – Vao Tsun Feb 08 '17 at 15:25

1 Answers1

0

According to docs:

md5 Require the client to supply a double-MD5-hashed password for authentication. See Section 20.3.2 for details.

password Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks. See Section 20.3.2 for details.

The jdbc connection will hash password you supply in connection string itself - you don't have to md5 it yourself.

Also look here: https://stackoverflow.com/a/39038852/5315974

Community
  • 1
  • 1
Vao Tsun
  • 47,234
  • 13
  • 100
  • 132
  • Maybe it's because English is not my 1st language, but to me it means that Postgres can get MD5 encrypted passwords and compare them to the encrypted original password. In addition when my configuration was: host all all 127.0.0.0/24 md5 My spring-boot with Hibernate application worked even with the encrypted password. Of course I'm not doubting you, I'm just confused – Sigal Shaharabani Feb 08 '17 at 15:44
  • lets put it this way. https://www.postgresql.org/docs/9.2/static/protocol-flow.html do you have "AuthenticationMD5Password" in your connection code? If not - Don't hash password yourself. If you do - I'm sorry - you do it right. now why you could login with wrong (hashed) password having `host all all 127.0.0.0/24 md5` in hba - because you have `trust` for your connection before that line. Do any if those look reasonable? – Vao Tsun Feb 08 '17 at 15:57
  • No, I removed the trust – Sigal Shaharabani Feb 09 '17 at 07:16
  • can you connect to the db with psql?.. If so I can give you several advises on how to check authentication, if no - sorry - I have no experience with Hibernate – Vao Tsun Feb 09 '17 at 08:03