I'm trying to find all users that have been created with 'disabled' passwords in redshift. We are looking to maintain users syncing from ldap. They will be created with disabled passwords so they cannot log in directly and we want to list them so they can be removed when longer required.
create user no_pass_user with password disable
I've tried querying pg_user where passwd is null etc, but nothing
select * from pg_user where passwd is null or passwd = 'disable' or passwd = '' ;
I could use expiry date etc, but would prefer disabled password if possible.
Thanks in advance
Related
I am using the pgcrypto extension in Postgresql to encrypt and salt the storage of user passwords in a database and I am having trouble retrieving them.
Specifically, the insert statement for a user looks like this:
INSERT INTO Users (username, password) VALUES ('test1', crypt('Password1234', gen_salt('bf', 8)));
This works fine however when I try to retrieve from the database, this query:
SELECT username, password FROM Users WHERE username = 'test1' AND password = crypt('Password1234', gen_salt('bf', 8));
returns no results, the query does not fail, just no results.
Currently, I am not using python to interact with the database (I will be in the future) I am just using psql in the terminal. I know something is wrong with this query but I am not sure what and how to fix it. Is there some other way that this should be structured or what am I doing wrong? Thanks for any help!
You are re-salting the password with a new salt, which of course leads to a different answer than before. That is the whole point of salting.
You need to reuse the first salt in the new hashing, which you do by feeding the password hash in place of gen_salt(...). (The stored hashed password has the salt embedded within it, and crypt knows how to extract and reuse it).
SELECT username, password FROM Users WHERE username = 'test1' AND password = crypt('Password1234', password);
But, why are you selecting "password"? Once you have verified that is hashes correctly, what further use is there in seeing it?
Ex: I have tables Table_A, Table_B, Table_C
I have created Role(user) called Username
Create User username with password 'pwd'
Without granting select permission to username able to access some of the tables.
The tables (Table_A, Table_B, Table_C) which have created are in public schema, so without granting select permission we can able to access the tables.
Today, a magic happen to our read-only user in our PostgreSQL database. We can't log in to the database using provided username and password. It supposed to be someone changed the password, but no one. When I check the following query:
SELECT * FROM pg_user WHERE usename='readonlyuser';
I know the fact that valuntil value is totally different between the read-only user and normal user. valuntil value for the normal user is infinity, and NULL for the read-only user. And my question is: How long will the PostgreSQL user password expire when the valuntil value in pq_user is NULL?
Password will not expire if valuntil = NULL.
From documentation:
rolvaliduntil Password expiry time (only used for password authentication); null if no expiration
pg_user is view for pg_shadow with is view for pg_authid
I created a role with login permission, but I can't login with it, I get:
FATAL: password authentication failed for user "myuser"
I have confirmed by select * from pg_roles that the role exists and has login permission.
I suspect an error in my db set up script caused it to be created with a different password to what I believed it was set to.
I realise that you cannot lookup the existing password of a role but I figure there ought to be a function which can be used to tell if a plaintext matches password for a role?
eg in a web app when we store passwords in the db they are salted and hashed... you can't tell what is the password from looking at that, but you can take a new plaintext and run the password hashing on it and say if the hash of your plaintext matches the stored password.
Is there something like that for psql?
I found other SO questions, eg Authenticate PostgreSQL user and password without database, about how to check password but they suggest trying to login with that role from commandline, which I can't do ("password authentication failed").
In my case I realise I should just trust the error message and assume role was created with wrong password... but let's imagine I'd created a role without LOGIN permission - this way of checking wouldn't be possible.
There are other ways to debug my script of course, but I am curious if such a 'password check' function exists.
For example, I found these in the docs:
http://www.postgresql.org/docs/8.3/static/pgcrypto.html
...but they are provided as helpers for building applications on top of Postgres - it is not clear if they are used by Postgres iteself for role passwords.
As posted in the comments, this answer is to compare a given plain text password with a stored md5 hashed PostgreSQL role password. I consider this somewhat of a hack, but let's do it anyway.
The following can be done with the "plain" md5() function in core PostgreSQL.
PostgreSQL's role passwords are hashed with md5 and salted with the role name. As an added bonus, they are prefixed with 'md5'. So a query to match a password to a role would be
select * from pg_authid WHERE rolpassword = 'md5' || md5('the-plain-text-password' || 'the-role-name');
The important bit (of course) is:
'md5' || md5('the-plain-text-password' || 'the-role-name');
Where we concatenate a string "md5" with an md5 hash of the plain text password and the role name as the salt.
I am using Redshift cluster. One user can rotate his own password using below command:
testcluster=> select current_user;
current_user
--------------
u003
(1 row)
testcluster=> alter user u003 with password 'Newpassword123#';
ALTER USER
How to stop this self password rotation. It must be rotated by super user only.
Is there any way to achive this ?
PostgreSQL allows users to change their own passwords.
See: ALTER USER documentation
Therefore, you cannot prevent users changing their own password.