| From: | fche(at)redhat(dot)com (Frank Ch(dot) Eigler) |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Encrypting pg_shadow passwords |
| Date: | 2001-06-27 13:58:08 |
| Message-ID: | o5lmmegh3j.fsf@toenail.toronto.redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
pgman wrote:
: OK, I get you now. Why not ask the client to do a crypt and compare
: that to pg_shadow. [...]
You can't trust the client to do the one-way encryption, for then the
encrypted password becomes plaintext-equivalent - it defeats the
purpose. (The SMB protocol apparently suffers or suffered from a
similar flaw.)
tgl wrote:
: What this discussion seems to come down to is whether we should take a
: backward step in one area of security (security against wire-sniffing)
: to take a forward step in another (not storing plaintext passwords).
: [...]
It seems to me that the two issues are orthogonal. Authentication and
confidentiality are not mutually dependent or reinforcing, and thus
generally need separate mechanisms.
- FChE
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Lockhart | 2001-06-27 14:03:21 | Re: postgresql 7.1.1 and textout and textin |
| Previous Message | Tatsuo Ishii | 2001-06-27 13:50:19 | Re: stuck spin lock with many concurrent users |