[PARTIAL SOLVED] Re: Auth user with postgresql

Giuseppe Tofoni gt0057 at gmail.com
Tue Feb 21 19:22:11 UTC 2012


Hi,

The password is correct, the problem is postgresql vers. 9.0.3 not "nginx", es:

authuser=# select crypt('multilab', '1$'), pwd from usertable where
user ='multilab' ;
     crypt     | pwd
---------------+---------------
 1$2NVPu8Urs82 | 1$Ln7ocLxd/.k
(1 row)

pwd =1$Ln7ocLxd/.k
salt =1$
PHP calculated and in python crypt.crypt('multilab', pwd[:2] are are correct)

Best regards
Giuseppe

2012/2/21 Piotr Sikora <piotr.sikora at frickle.com>:
> Hi,
>
>
>>> postgres_query    "SELECT user FROM usertable WHERE user=$user AND
>>> pwd=crypt($pass, substr(pwd, 1, 2))";
>>
>>
>> You should never use any part of whatever you're encrypting as the salt
>> because it greatly reduces encryption strength / entropy. By using the
>> first two characters of the password as the salt, you're revealing them
>> because the salt is stored in the first two characters of the resulting
>> crypt() hash:
>>
>> crypt("test", "te") generates "teH0wLIpW0gyQ"
>> crypt("test", "XX") generates "XXF2OrGyU2fzk"
>>
>> So you may want to use something like this:
>>
>> postgres_query    "SELECT user FROM usertable WHERE user=$user AND
>> pwd=crypt($pass, substr($user, 1, 2))";
>
>
> Except that "pwd" used in the above snipped is not password, but the hash
> stored in the database and "pwd=crypt($pass, pwd)" is the correct way to
> verify that "$pass" would evaluate to "pwd" hash (so that the password is
> correct).
>
>
> Best regards,
> Piotr Sikora < piotr.sikora at frickle.com >
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list