Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Re: PostgreSQL Password Cracker
What do others think? I am not sure myself. --------------------------------------------------------------------------- mlw wrote: > > > Bruce Momjian wrote: > > >mlw wrote: > > > > > >>>The comments at the top suggest sniffing a Postgres session startup > >>>exchange in order to see the MD5 value that the user presents; which the > >>>attacker would then give to this program. (Forget it if the session is > >>>Unix-local rather than TCP, or if it's SSL-encrypted...) > >>> > >>>This is certainly a theoretically possible attack against someone who > >>>has no clue about security, but I don't put any stock in it as a > >>>practical attack. For starters, if you are talking to your database > >>>across a network that is open to hostile sniffers, you should definitely > >>>be using SSL. > >>> > >>> > >>> > >>> > >>This is absolutely correct, shouldn't this be in the FAQ? > >> > >> > > > >Well, this is a pretty rare issue, so it doesn't seem like an FAQ. > >People need to understand the ramifications of the various pg_hba.conf > >settings, and I think our documentation does that. > > > > > A good DBA will probably read the docs, a bad DBA will probably not, and > it is the bad DBA that needs to be guided the most. > > Maybe not FAQ, but is the a short page of "dos and don'ts? > > -- Bruce Momjian | http://candle.pha.pa.us pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
In response to
- Re: PostgreSQL Password Cracker at 2003-01-01 23:41:29 from mlw
Responses
- Re: PostgreSQL Password Cracker at 2003-01-02 04:17:59 from Tom Lane
pgsql-hackers by date
Next: From: Tom Lane Date: 2003-01-02 04:17:59 Subject: Re: PostgreSQL Password Cracker Previous: From: mlw Date: 2003-01-01 23:41:29 Subject: Re: PostgreSQL Password Cracker