如何使用加密密码连接到PostgreSQL服务器 [英] How to connect to PostgreSQL server using encrypted password
问题描述
在通常情况下,连接字符串包含纯文本形式的密码,但是可以由Wireshark捕获,因此我想在连接字符串中使用加密的密码.我从Postgres文档中找到了以下摘录:
In usual scenarios, the connection string contains the password in plain text, but this can be captured by Wireshark, so I want to use the encrypted password in a connection string. I found the below excerpt from the Postgres documentation:
跨网络加密密码 MD5身份验证方法在将密码发送到客户端之前,对客户端密码进行双重加密.服务器.它首先根据用户名对它进行MD5加密,然后当服务器发送数据库连接已建立.正是这种双重加密的价值通过网络发送到服务器.不仅双重加密防止发现密码,但同时也防止其他密码被发现使用相同的加密密码连接到数据库服务器.
Encrypting Passwords Across A Network The MD5 authentication method double-encrypts the password on the client before sending it to the server. It first MD5-encrypts it based on the user name, and then encrypts it based on a random salt sent by the server when the database connection was made. It is this double-encrypted value that is sent over the network to the server. Double-encryption not only prevents the password from being discovered, but it also prevents another connection from using the same encrypted password to connect to the database server at a later time.
如果我理解正确,那么我需要连接到数据库,但这并不意味着密码可以被欺骗吗?
If I understood it correctly, to get the salt, I need to connect to the database, but doean't that mean that the password can be spoofed?
我尝试在Google周围搜索,但没有找到令人满意的解决方案.我想了解如何使用java从PostgreSQL服务器中获取随机盐,然后使用它加密普通密码并使用加密密码建立连接.
I tried to google around but did not found a satisfying solution. I want to understand how can I get the random salt from PostgreSQL server using java and then encrypt the plain password with it and use an encrypted password to establish a connection.
推荐答案
如果您是用户 arvind ,请将密码设置为 secret ,即 actual em>密码设置为
If you, user arvind, set the password to secret, the actual password is set to
'md5' || md5('secret' || 'arvind')
即 md50624d6c2e831004efb7f4173699a1775 .这就是您在 pg_authid 系统目录中找到的内容.
that is md50624d6c2e831004efb7f4173699a1775. That's what you'll find in the pg_authid system catalog.
现在建立连接的过程如下:
Now the establishment of a connection works like this:
服务器的客户端:我想以用户 arvind 的身份连接到数据库 mydb .
client to server: I want to connect to database mydb as user arvind.
服务器到客户端:好的,我想要MD5身份验证.你的盐是 g73j .
server to client: Ok, I want MD5 authentication. Your salt is g73j.
已为客户端提供秘密作为密码.
The client has been given secret as password.
首先,它使用上面的公式获取 real 密码(第一次哈希).
First, it uses the formula above to get the real password (first hashing).
然后,客户端再次使用
'md5' || md5('0624d6c2e831004efb7f4173699a1775' || 'g73j')
服务器的客户端:哈希密码为 md573ae1f550fb4bcd28411cefb24b800bc .
服务器计算相同的哈希并将结果与从客户端获得的哈希进行比较.
The server calculates the same hash and compares the result to what it got from the client.
如果相同,则服务器知道客户端必须具有真实密码,否则它将无法计算出正确的哈希值.
If that is the same, the server knows that the client must have the real password, otherwise it couldn't have calculated the correct hash.
密码本身未传输,因此无法被窃听者窃取.
The password itself is not transferred, so it cannot be stolen by an eavesdropper.
服务器到客户端:好的,您在这里.
The actual messages look different of course, but that's all in the documentation.
这篇关于如何使用加密密码连接到PostgreSQL服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
