本文介绍了生成PostgreSQL用户密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我尝试使用Python中的 hashlib postgres 生成密码。

I tried to generate password for postgres using hashlib from Python.

>>> import hashlib
>>> hashlib.md5("psql123").hexdigest()
2636d1ddc54901f98d011ffe050c0eb7

但是postgresql需要 md5 前缀,因此

But postgresql requires md5 prefix, so then

sudo -u postgres psql
ALTER USER postgres PASSWORD 'md52636d1ddc54901f98d011ffe050c0eb7';

但是,如果我使用 psql123 作为密码。

However, authentication would fail if I use psql123 as password.

如果我使用 passlib ,那很好。参见

If I use passlib, I am fine. See http://pythonhosted.org/passlib/lib/passlib.hash.postgres_md5.html

使用 psql123 作为密码可以进行以下操作。

Doing the following using psql123 as password is okay.

ALTER USER postgres PASSWORD 'md556074e7318bd4cee558faab0678a2fad';

我不明白 passlib 想说。可以对 postgres 用户使用此哈希吗?另外,在文档中哪里说用户名必须是输入的一部分?

I don't understand what the warning in passlib want to say. Is it okay to use this hash for postgres user? Also, where in the doc does it say username has to be part of the input?

我认为这是为什么 postgres 无法理解 hashlib 的结果。作为LDAP用户,我可以在外壳程序中生成一个密码。 postgres是否具有内置命令来执行此操作? psycopg2 有吗?

I assume this is why postgres can't understand the result from hashlib. As a LDAP user, I can generate a password in the shell. Does postgres has a built-in command to do that? Does psycopg2 has that? It looks like it doesn't.

推荐答案

Postgres的密码哈希值与您所做的非常接近,它只需要用户名包括如下:

Postgres' password hash is very close to what you did, it just needs the username to be included as follows:

 pghash = "md5" + hashlib.md5(password + username).hexdigest()

AFAIK,postgres文档根本没有真正记录这种哈希格式,并且似乎假设管理员很少直接处理这些散列:(没有已知的生成这些散列的内置方法。如果提供给 ALTER USER 命令的密码与postgres不符散列格式,假设密码尚未被散列,并在内部进行处理-根据的ENCRYPTED关键字。(恕我直言,这是一种有缺陷的行为,因为如果哈希值取决于用户名,则意味着无法复制哈希值,并且粘贴之间n个不同的帐户,在重命名帐户时中断,并且(明智地猜测熵)只有约6位有效盐)。

AFAIK, the postgres docs don't really document this hash format at all, and seem to assume admins will rarely deal with these hashes directly :( There are no builtin methods for generating these hashes that I know of. If the password provided to the ALTER USER command doesn't conform to the postgres hash format, it assumes the password hasn't been hashed, and takes care of that internally - per the docs for CREATE ROLE's ENCRYPTED keyword. (IMHO this is a flawed behavior, because if a hash depends on the username, it means hashes can't be copied and pasted between different accounts, break when the account is renamed, and (guessing entropy wise) only has ~6 bits of effective salt).

passlib哈希文档顶部的警告可能更清楚了。它的目的是警告人们浏览passlib文档时:1)此哈希非常不安全,2)他们不应该将其用于自己的应用程序中,以及3)仅适合与之一起使用的目的。 postgres用户帐户,因为它是Postgres支持的最强大(也是唯一)的哈希格式,它支持自己的帐户。

The warning at the top of passlib's documentation for the hash could probably be clearer. It was meant to warn people browsing through the passlib documentation that 1) this hash was horribly insecure, 2) that they shouldn't adopt it for use in their own applications, and 3) that it was only fit for the purpose of working with postgres user accounts, since it's the strongest (and only) hash format postgres supports for it's own accounts.

(如果您尝试使用postgres对自己应用程序的用户帐户的密码进行哈希处理,我强烈建议Clodoaldo建议通过pgcrypto扩展名使用bcrypt )。

(If you're trying to use postgres to hash passwords for your own application's user accounts, I'd strongly second Clodoaldo's recommendation to use bcrypt by way of the pgcrypto extension).

这篇关于生成PostgreSQL用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-27 04:37
查看更多