Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

* Paul Tillotson (pntil(at)shentel(dot)net) wrote:
> Maybe I misunderstood, but I thought that others were saying that, if
> someone gets the contents of pg_shadow, then
>
> - if you use only "password" in your pg_hba.conf, he has to break one of
> the hashes first in order to log in.
> - but if you use "md5" in your pg_hba.conf, then he doesn't have to
> break the hashes at all.

(in order to authenticate to your Postgres installation as a given user)

> Is this correct?

Yes, this is correct.

> I guess I personally felt "betrayed" when I heard this since I (naively)

Me too. :/

> assumed that the point of hashing passwords was to make it so that
> someone who is able to read your database is prevented from logging in
> and corrupting the data, installing root-kits, etc.

The hash in pg_shadow should only be visible to the database superuser,
or someone who has access to the unix account postgres runs as.

> Now I see that the point of md5 authenticate is to address an entirely
> different problem, namely, having the cleartext password being captured
> on the wire.

The intention of the 'md5' method in pg_hba.conf is to avoid having the
password go over the network in the clear, yes. Unfortunately, this
pretty much requires that the database have something which is
password-equivilant stored on disk.

Thanks,

Stephen