Setting user Postgres passwords via MD5

Say you want to create a Postgres account for a user but you don’t want them to have to reset it after logging in, and you don’t want to do the “come type in a password on my computer” routine. Well, here’s one way around this.

  1. Have the user generate an MD5 of their password on their local computer. Postgres uses the username as the salt for the hash, so the command to generate the md5 on a Mac would be (assuming a username of ‘ehoffman’ and a password of ‘abcdefg’):
    [evan@Evans-MacBook-Pro ~] $ echo -n abcdefgehoffman | md5
    95eebfcce27162773a3828689df9d79e
    

    The “-n” is important – without it, the newline gets included in the hash. After they generate their MD5, have them send it to you (along with their username).

  2. Create the user’s account in the database (or ALTER ROLE if it already exists):
    CREATE ROLE ehoffman LOGIN INHERIT ENCRYPTED PASSWORD 'md595eebfcce27162773a3828689df9d79e';
    

    Syntax for an existing account:

    ALTER ROLE ehoffman ENCRYPTED PASSWORD 'md595eebfcce27162773a3828689df9d79e';
    

That’s it. This has the added benefit of the password never being logged in the DB logs or the .psql_history. The main downside is the possibility of user error.

Advertisements

Victory! Change Active Directory Password via LDAP through browser

I had to give up on PHP and go to Perl, but it turned out not to be so bad. Users can now change their Active Directory passwords via a self-service web page that doesn’t require admin credentials. The Perl code is below.  Authentication to the script is done via .htaccess LDAP authentication, so the REMOTE_USER env variable is assumed to contain the user’s username (sAMAccountName) by the time this script is called.  There is a simple check for $ENV{HTTPS} to ensure the script is called via SSL, and AD requires password changes to be done via ldaps, so the whole thing should be encrypted end to end.

(Edited 5/14/2010 to replace the inlined Perl script with a link to the script as a text file.)

changeadpasswd.pl