Re: Encrypting pg_shadow passwords

> On Tue, Jun 26, 2001 at 12:00:35AM -0400, Bruce Momjian wrote:
> > One good point you have is what do we do with 'password' authentication
> > once we encrypt pg_shadow. My guess is that we just disallow it. It is
> > insecure and was only there for clients that couldn't do crypt. They
> > all have that now. It should just go away. We kept it around for the
> > secondary password file but those secondary password files are the same
> > once pg_shadow is encrypted.
>
> i would be content if the API allowed me to pass it a plain-text password,
> and that was compared against pg_shadow, where the password is stored
> encrypted.
>
> at this point in time, i do not see a method of doing that without my mods
> or using external password files.

We will do double-crypt and everyone will be happy, right?

>
> if the API as above existed, then i would be happy to see "password" go away
> (although it should be depreciated to a --enable option, otherwise you are
> going to ruin a bunch of existing code).

Who is using it? We can continue to allow it but at some point there is
no purpose to it unless you have clients that are pre-7.2. Double-crypt
removes the use for it, no?

>
> > One item of my plan is that you can encrypt individual users. You don't
> > have to do them all at once in case you have older clients for some
> > users but not others.
>
> it would be nice (in my opinion) if you could have multiple (cascade) entries
> in pg_hba.conf.
>
> and a flag in pg_shadow to "appoint" a blessed scheme.
>
> ie. if a user identd's ok, and the identd flag is set in pg_shadow, then
> it is ok. otherwise, move on to the next pg_hba.conf entry.
>
> the reasoning for this is that i (and i assume others) have two classes of
> access. some type of authenticated client/user and scripts.
>
> hardcoding passwords in scripts is just wrong.
>
> i sometimes have "localhost" set up on ident, and non-localhost on some
> type of passord/crypt type thing. but i don't want to allow all local users
> access via ident.
>
> i recognize that some of this can be done with the ident mapping facility,
> but again, that is an external file, and thus presents management issues.

Our authentication system is already too complex. I would prefer not to
make it more so. The more complex, the more mistakes admins make.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026