Home > mailing lists

Re: Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers

From	ncm@zembu.com (Nathan Myers)
Subject	Re: Re: Encrypting pg_shadow passwords
Date	July 11, 2001 16:48:26
Msg-id	20010711134821.J23310@store.zembu.com Whole thread Raw
In response to	Re: Re: Encrypting pg_shadow passwords (michael@miknet.net (Michael Samuel))
List	pgsql-hackers

Tree view

On Wed, Jul 11, 2001 at 01:24:53PM +1000, Michael Samuel wrote:
> The crypt authentication currently used offers _no_ security. ...
> Of course, SSL *if done correctly with certificate verification* is the
> correct fix.  If no certificate verification is done, you fall victim to
> a man-in-the-middle attack.

It seems worth noting here that you don't have to depend on
SSL authentication; PG can do its own authentication over SSL
and avoid the man-in-the-middle attack that way.  

Of course, PG would have to do its authentication properly, e.g. 
with the HMAC method.  That seems better than depending on SSL 
authentication, because SSL certification seems to be universally
misconfigured.

Nathan Myers
ncm@zembu.com

pgsql-hackers by date:

From: Bruce Momjian
Date: 11 July 2001, 16:46:59
Subject: Re: I can't keep up

From: Peter Eisentraut
Date: 11 July 2001, 17:51:18
Subject: Re: [PATCHES] Re: [PATCH] Re: Setuid functions

Re: Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers

Previous

Next