| From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
|---|---|
| To: | "Peter Eisentraut" <peter_e(at)gmx(dot)net>, <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Client-side password encryption |
| Date: | 2005-12-18 15:53:53 |
| Message-ID: | E7F85A1B5FF8D44C8A1AF6885BC9A0E4850814@ratbert.vale-housing.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgsql-hackers |
-----Original Message-----
From: pgadmin-hackers-owner(at)postgresql(dot)org on behalf of Peter Eisentraut
Sent: Sun 12/18/2005 2:25 AM
To: pgadmin-hackers(at)postgresql(dot)org
Subject: [pgadmin-hackers] Client-side password encryption
> Commands like CREATE USER foo PASSWORD 'bar' transmit the password in
> cleartext and possibly save the password in various client or server
> log files. I have just fixed this for psql and createuser to encrypt
> the password on the client side. A quick check of the pgadmin3 source
> code shows that you are also affected by this issue. I ask you to
> check where you paste cleartext passwords into SQL commands and change
> those to encrypt the password before sending or storing it anywhere.
> The required function pg_md5_encrypt() is contained in libpq.
So did you just rip it from there into psql? I don't see it in the list of libpq exports so if thats not the case, on Windows at least we'll need to change the api, and possibly the dll name as well to avoid any compatibility issues.
Regards, Dave.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Pflug | 2005-12-18 16:07:04 | Re: Client-side password encryption |
| Previous Message | Peter Eisentraut | 2005-12-18 02:25:24 | Client-side password encryption |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Pflug | 2005-12-18 16:07:04 | Re: Client-side password encryption |
| Previous Message | Andreas Pflug | 2005-12-18 14:32:40 | Re: Log of CREATE USER statement |