Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL Password Cracker

From: mlw <pgsql(at)mohawksoft(dot)com>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Devrim GUNDUZ <devrim(at)tr(dot)net>,pgsql-hackers(at)postgresql(dot)org
Subject: Re: PostgreSQL Password Cracker
Date: 2003-01-01 23:41:29
Message-ID: 3E137CA9.7030309@mohawksoft.com (view raw or flat)
Thread:
Lists: pgsql-hackers

Bruce Momjian wrote:

>mlw wrote:
>  
>
>>>The comments at the top suggest sniffing a Postgres session startup
>>>exchange in order to see the MD5 value that the user presents; which the
>>>attacker would then give to this program.  (Forget it if the session is
>>>Unix-local rather than TCP, or if it's SSL-encrypted...)
>>>
>>>This is certainly a theoretically possible attack against someone who
>>>has no clue about security, but I don't put any stock in it as a
>>>practical attack.  For starters, if you are talking to your database
>>>across a network that is open to hostile sniffers, you should definitely
>>>be using SSL.
>>> 
>>>
>>>      
>>>
>>This is absolutely correct, shouldn't this be in the FAQ?
>>    
>>
>
>Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
>People need to understand the ramifications of the various pg_hba.conf
>settings, and I think our documentation does that.
>  
>
A good DBA will probably read the docs, a bad DBA will probably not, and 
it is the bad DBA that needs to be guided the most.

Maybe not FAQ, but is the a short page of "dos and don'ts?


In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2003-01-01 23:44:58
Subject: Re: PostgreSQL Password Cracker
Previous:From: Bruce MomjianDate: 2003-01-01 23:09:35
Subject: Re: PostgreSQL Password Cracker

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group