From: | Jim Mercer <jim(at)reptiles(dot)org> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
Subject: | Re: Proposal for encrypting pg_shadow passwords |
Date: | 2001-06-26 03:18:20 |
Message-ID: | 20010625231820.F1599@reptiles.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Jun 25, 2001 at 11:04:15PM -0400, Bruce Momjian wrote:
> password: plaintext password is sent over network from client
> to server
>
> crypt: random salt is sent to client; client encrypts using that salt
> and returns encrypted password to server. Server encrypts pg_shadow
> password with same random salt and compares. This is why current
> pg_shadow password is cleartext. (Call this "crypt authentication".)
did you see my post of a week or so ago?
host dbname ipaddr netmask password /some/file
- uses second field of /some/file, as per /etc/passwd
- compares second field of /some/file with crypt(clear-text)
host dbname ipaddr netmask crypt (no file specified)
- as above
host dbname ipaddr netmask password (no file specified)
- same as if the line was s/password/crypt/g
i have mods that allow (in a completely backward compatible fashion)
host dbname ipaddr netmask password pg_shadow
- uses password from pg_shadow
- compares pg_shadow->password with crypt(clear-text)
while i applaud the dual-crypt enhancements for the newer versions,
i think these patches allow storage of encrypted passwords in pg_shadow
without any substantial changes (or possible damage to existing code).
i am using these mods in conjuction with php scripts, and as such i need
not give "webuser" or "nobody" any privs on my tables.
--
[ Jim Mercer jim(at)reptiles(dot)org +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]
From | Date | Subject | |
---|---|---|---|
Next Message | Jim Mercer | 2001-06-26 03:24:45 | Re: Announcing Postgresql backup script. |
Previous Message | Grant | 2001-06-26 03:04:41 | Re: Announcing Postgresql backup script. |