| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, Dave Page <dpage(at)vale-housing(dot)co(dot)uk> |
| Subject: | Re: [pgadmin-hackers] Client-side password encryption |
| Date: | 2005-12-23 15:24:11 |
| Message-ID: | 20051223152411.GB27014@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgsql-hackers |
On Fri, Dec 23, 2005 at 09:42:44AM -0500, Stephen Frost wrote:
> * Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
> > This isn't the first time this has been explained, but:
> >
> > With password encryption you essentially have two options:
> >
> > - Server knows password, use challenge-response authentication so
> > password is not visible on wire.
> > - Server only knows hash of password, password must be sent in clear
> > over wire.
>
> Erm, Postgres isn't doing either of these...? You even talk about what
> Postgres does below so I'm kind of bemused that you don't mention it in
> your list... :)
Postgres *is* using one of these, the first one, where the server knows
the authentication token (the md5 hash of the password). UNIX login
uses the latter. Perhaps if you substitute "authentication token" for
"password" above it makes it clearer?
> Well, and these days quite often the network connection is encrypted.
If you use SSL or SSH? Sure. I think in that case you can setup
pg_hba.conf to require "password" in which case the server will only
accept an unhashed password.
> Stops the admin from guessing the password, but makes the text on the
> disk *the* authentication token, meaning someone who manages to get a
> copy of the password file gets full access to the system.
If md5 auth is setup, yes.
> There's also Kerberos, which I'm happy to say seems to be getting more
> and more use. I'd really like to get ODBC Kerberos working, at least
> with MIT kerberos and then maybe someday (if I can manage to get it
> working...) setup some cross-realm stuff with the Windows AD and SSPI
> (iirc) things and have ODBC use that to authenticate against my
> Linux-based PostgreSQL server.
Yeah, I was counting kerberos under "trust a third party". It shouldn't
be too hard to add other such systems, like PAM has been...
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2005-12-23 15:55:00 | Re: [pgadmin-hackers] Client-side password encryption |
| Previous Message | Marko Kreen | 2005-12-23 15:08:12 | Re: [pgadmin-hackers] Client-side password encryption |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2005-12-23 15:55:00 | Re: [pgadmin-hackers] Client-side password encryption |
| Previous Message | Marko Kreen | 2005-12-23 15:08:12 | Re: [pgadmin-hackers] Client-side password encryption |