Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: Encrypting pg_shadow passwords |
| Date | |
| Msg-id | 200106260348.f5Q3mWq26296@candle.pha.pa.us Whole thread Raw |
| In response to | Re: Encrypting pg_shadow passwords (Jim Mercer <jim@reptiles.org>) |
| Responses |
Re: Encrypting pg_shadow passwords
|
| List | pgsql-hackers |
> On Mon, Jun 25, 2001 at 11:27:42PM -0400, Bruce Momjian wrote: > > I am replying to the original message because it has all the relevant > > information. The problem with 'password' authentication is that the > > password goes across the wire in plaintext. Now, if we start to ship > > encrypted passwords across the wire, but use the same salt for every > > authentication request, we are really no more secure than if we sent it > > in the clear. > > > > If a user specifies 'crypt' in pg_hba.conf, they should be assured that > > the password is safe in case someone snoops it. Encrypting pg_shadow > > and comparing that with the same salt every time is not secure from > > snooping so we don't allow it. > > > > Am I missing something? > > i don't disagree that sending plaintext across the wire, if possible, it > should be avoided. > > however, i look at it this way. > > many _existing_ implementations send plaintext across the wire, telnet, > ftp, .htaccess, imap and pop (non-ssl). > > i would much rather risk a single plain-text password being snooped on the > wire, rather than having an entire database of plain-text passwords for > someone to scoop. > > many people re-use passwords for multiple purposes, thus reducing the bio-core > required to keep track of a bazillion passwords. > > in my opinion, storing plain-text passwords in any media is just plain wrong, > and a far greater security risk than having a password sniffed. > > in my applications, i have SSL covering the client->app (browser->PHP code), > so the sniffing would need to be on the wire from the app-server -> database > server, which in many cases is the same machine. > > my mods don't alter the operation of the server in any respect. > > they do, however, allow people the choice of using a traditional > telnetd/binlogin authentication scheme without resorting to external password > files. OK, I get you now. Why not ask the client to do a crypt and compare that to pg_shadow. It is better than what we have now for 'password' authentication because it encrypts pg_shadow. The big problem is that you can't do 'crypt' authentication once you encrypt pg_shadow, unless we do the double-encription thing, and I think it is a bigger win for them to use crypt-authentication than to encrypt pg_shadow. The wire is clearly less secure than pg_shadow. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
pgsql-hackers by date: