| From: | Mike Mascari <mascarm(at)mascari(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Jim Mercer <jim(at)reptiles(dot)org>, David Duddleston <david(at)i2a(dot)com>, pgsql-general(at)hub(dot)org |
| Subject: | Re: PostgreSQL cleartext passwords |
| Date: | 2000-05-18 23:05:48 |
| Message-ID: | 3924774C.35B451D7@mascari.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane wrote:
>
> Jim Mercer <jim(at)reptiles(dot)org> writes:
> > by default, the passwords are stored in clear text.
> > however, if you are configuring passwords, then likely you are going
> > to need to change settings in pg_hba.conf. in there you can specify
> > "crypt", and the system will expect that the passwds in pg_shadow
> > are encrypted.
>
> Not so! "crypt" authentication provides for sending passwords in
> crypted form during login (which is good if you're afraid of password-
> sniffers, but then maybe you should be using SSL to protect your whole
> session, not only the password). But it doesn't change the contents
> of pg_shadow.
...
>
> BTW, there is no particularly good reason to be storing passwords in
> the Postgres database at all --- you can instead use Kerberos
> authentication, or perhaps "ident" authentication (though ident is
> only OK if logins are only accepted from machines whose sysadmins you
> trust, since ident is easily faked on an insecure machine).
>
> regards, tom lane
Unfortunately for those depending on Kerberos, a CERT advisory
was released just yesterday:
CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
Authenticated Services
Original release date: May 17, 2000
Last revised: --
Source: The MIT Kerberos Team, CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running services authenticated via Kerberos 4
* Some systems running services authenticated via Kerberos 5
* Systems running the Kerberized remote shell daemon (krshd)
* Systems with the Kerberos 5 ksu utility installed
* Systems with the Kerberos 5 v4rcp utility installed
Overview
The CERT Coordination Center has recently been notified of
several
buffer overflow vulnerabilities in the Kerberos authentication
software. The most severe vulnerability allows remote
intruders to
gain root privileges on systems running services using
Kerberos
authentication. If vulnerable services are enabled on the Key
Distribution Center (KDC) system, the entire Kerberos domain
may be
compromised.
...
Mike Mascari
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2000-05-18 23:50:18 | Re: Question about databases in alternate locations... |
| Previous Message | Diego Schvartzman | 2000-05-18 21:40:37 | Re: Performance |