| From: | Brett McCormick <brett(at)work(dot)chicken(dot)org> |
|---|---|
| To: | ocie(at)paracel(dot)com |
| Cc: | maillist(at)candle(dot)pha(dot)pa(dot)us (Bruce Momjian), scrappy(at)hub(dot)org, jwieck(at)debis(dot)com, Andreas(dot)Zeugswetter(at)telecom(dot)at, pgsql-hackers(at)hub(dot)org |
| Subject: | Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
| Date: | 1998-02-20 03:03:55 |
| Message-ID: | 199802200303.TAA11237@abraxas.scene.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
What about a public/private key mechanism, like ssh?
On Thu, 19 February 1998, at 15:25:56, ocie(at)paracel(dot)com wrote:
> Standard salt is two characters, so an adversary might be able to
> watch and record which salts produced which replies. Even with a
> single login, a brute force attack might still be able to get the
> user's password. A stronger challenge-response system might be more
> secure. It should be possible for the server to authenticate a user
> without having to store the user's password.
>
> Then again, this is all starting to sound like Kerberos, so if
> Postgres had Kerberos authentication (which I think it does), then
> this could be used for the ultra-high security authentication system.
>
> Ocie Mitchell
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 1998-02-20 03:04:34 | Re: [HACKERS] atttypmod |
| Previous Message | Bruce Momjian | 1998-02-20 03:02:44 | Re: [HACKERS] Running pgindent |