PostgreSQL Authentication Methods

PasswordMessage containing the password in clear-text form. If this is the correct password, the server responds with an AuthenticationOk, otherwise it responds with an ErrorResponse. </para> </listitem> </varlistentry> <varlistentry> <term>AuthenticationMD5Password</term> <listitem> <para> The frontend must now send a PasswordMessage containing the password (with user name) encrypted via MD5, then encrypted again using the 4-byte random salt specified in the AuthenticationMD5Password message. If this is the correct password, the server responds with an AuthenticationOk, otherwise it responds with an ErrorResponse. The actual PasswordMessage can be computed in SQL as <literal>concat('md5', md5(concat(md5(concat(password, username)), random-salt)))</literal>. (Keep in mind the <function>md5()</function> function returns its result as a hex string.) </para> <warning> <para> Support for MD5-encrypted passwords is deprecated and will be removed in a future release of <productname>PostgreSQL</productname>. Refer to <xref linkend="auth-password"/> for details about migrating to another password type. </para> </warning> </listitem> </varlistentry> <varlistentry> <term>AuthenticationGSS</term> <listitem> <para> The frontend must now initiate a GSSAPI negotiation. The frontend will send a GSSResponse message with the first part of the GSSAPI data stream in response to this. If further messages are needed, the server will respond with AuthenticationGSSContinue. </para> </listitem> </varlistentry> <varlistentry> <term>AuthenticationSSPI</term> <listitem> <para> The frontend must now initiate an SSPI negotiation. The frontend will send a GSSResponse with the first part of the SSPI data stream in response to this. If further messages are needed, the server will respond with AuthenticationGSSContinue. </para> </listitem> </varlistentry> <varlistentry> <term>AuthenticationGSSContinue</term> <listitem> <para> This message contains the response data from the previous step of GSSAPI or SSPI negotiation (AuthenticationGSS, AuthenticationSSPI or a previous AuthenticationGSSContinue). If the GSSAPI or SSPI data in this message indicates more data is needed to complete the authentication, the frontend must send that data as another GSSResponse message. If GSSAPI or SSPI authentication is completed by this message, the server will next send AuthenticationOk to indicate successful authentication or ErrorResponse to indicate failure. </para> </listitem> </varlistentry> <varlistentry> <term>AuthenticationSASL</term> <listitem> <para> The frontend must now initiate a SASL negotiation, using one of the SASL mechanisms listed in the message. The frontend will send a SASLInitialResponse with the name of the selected mechanism, and the first part of the SASL data stream in response to this. If further messages are needed, the server will respond with AuthenticationSASLContinue. See <xref linkend="sasl-authentication"/> for details. </para> </listitem> </varlistentry> <varlistentry> <term>AuthenticationSASLContinue</term> <listitem> <para> This message contains challenge data from the previous step of SASL negotiation (AuthenticationSASL, or a previous AuthenticationSASLContinue). The frontend must respond with a SASLResponse message. </para> </listitem> </varlistentry> <varlistentry>

The PostgreSQL protocol supports various authentication methods, including clear-text password, MD5-encrypted password, GSSAPI, SSPI, and SASL, each with its own message exchange and response formats, allowing the frontend to authenticate with the server and establish a secure connection.