| From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
|---|---|
| To: | José Luis Tallón <jltallon(at)adv-solutions(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Claudio Freire <klaussfreire(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: reducing our reliance on MD5 |
| Date: | 2015-02-11 16:34:18 |
| Message-ID: | 54DB848A.4060203@commandprompt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/11/2015 07:54 AM, José Luis Tallón wrote:
>
> On 02/11/2015 04:40 PM, Tom Lane wrote:
>> =?UTF-8?B?Sm9zw6kgTHVpcyBUYWxsw7Nu?= <jltallon(at)adv-solutions(dot)net> writes:
>>> In any case, just storing the "password BLOB"(text or base64 encoded)
>>> along with a mechanism identifier would go a long way towards making
>>> this part pluggable... just like we do with LDAP/RADIUS/Kerberos/PAM
>>> today.
>> That's exactly the direction we must NOT go.
From a practitioners and one step at a time perspective, why don't we
just offer SHA-2 as an alternative to MD5?
As a longer term approach, it seems something like key based auth (ala
SSH) which proved popular when I brought it up before seems like a
reasonable solution.
Sincerely,
Joshua D. Drake
--
Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564
PostgreSQL Support, Training, Professional Services and Development
High Availability, Oracle Conversion, @cmdpromptinc
"If we send our children to Caesar for their education, we should
not be surprised when they come back as Romans."
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-02-11 16:40:59 | Re: Manipulating complex types as non-contiguous structures in-memory |
| Previous Message | José Luis Tallón | 2015-02-11 15:54:10 | Re: reducing our reliance on MD5 |