发表新帖
发表新帖

Creating user with encrypted password in PostgreSQL

后端 未结
关注
3 823
慢半拍i
慢半拍i 2020-12-04 19:01

Is it possible to create a user in PostgreSQL without providing the plain text password (ideally, I would like to be able to create a user providing only its password crypte

相关标签:
3条回答
  • 既然无缘
    2020-12-04 19:38

    I'm not aware of a way to override the default md5 encryption of passwords, but if you have a ROLE (aka "USER") that has an already md5-encrypted password it appears that you can supply that. Verify this using pg_dumpall -g (to see the globals from the cluster) Eg.

    psql postgres
create role foo with encrypted password foobar;
\q

-- View the role from pg_dumpall -g
pg_dumpall -g | grep foo
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';

Or get it from:
select * from pg_catalog.pg_shadow;

-- create the role again with the already-encrypted password
psql postgres
drop role foo;
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';
\q

-- view the ROLE with the same password
pg_dumpall -g | grep foo
CREATE ROLE foo;
ALTER ROLE foo WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN NOREPLICATION PASSWORD 'md5c98cbfeb6a347a47eb8e96cfb4c4b890';

    Docs for CREATE ROLE

    0 讨论(0)
  • 遇见更好的自我
    2020-12-04 19:45

    You may provide the password already hashed with md5, as said in the doc (CREATE ROLE):

    ENCRYPTED UNENCRYPTED These key words control whether the password is stored encrypted in the system catalogs. (If neither is specified, the default behavior is determined by the configuration parameter password_encryption.) If the presented password string is already in MD5-encrypted format, then it is stored encrypted as-is, regardless of whether ENCRYPTED or UNENCRYPTED is specified (since the system cannot decrypt the specified encrypted password string). This allows reloading of encrypted passwords during dump/restore.

    The information that's missing here is that the MD5-encrypted string should be the password concatened with the username, plus md5 at the beginning.

    So for example to create u0 with the password foobar, knowing that md5('foobaru0') is ac4bbe016b808c3c0b816981f240dcae:

    CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae';

    and then u0 will be able to log in by typing foobar as the password.

    I don't think that there's currently a way to use SHA-256 instead of md5 for PostgreSQL passwords.

    0 讨论(0)
  • 北恋
    2020-12-04 19:56

    Much easier way to to this is:

    CREATE USER u0 PASSWORD 'foobar'; 

    select * from pg_catalog.pg_shadow;

    Gives passwd: md5ac4bbe016b808c3c0b816981f240dcae

    0 讨论(0)
 看不清?
提交回复
热议问题