| From: | michael(at)miknet(dot)net (Michael Samuel) |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Re: Encrypting pg_shadow passwords |
| Date: | 2001-07-12 06:20:35 |
| Message-ID: | 20010712162035.A3233@miknet.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jul 11, 2001 at 01:00:42PM -0400, Bruce Momjian wrote:
> > * HMAC - Wrap all postgres data in an HMAC (I believe this requires an
> > plaintext-like password on the server as does crypt and the double
> > crypt scheme)
>
> No, double-crypt has the passwords stored encrypted.
You missed my point. If I can get hold of the encrypted password in
the database, I can hack up a client library to use the encrypted
password to log in. Therefore, encrypting the password in pg_shadow
offers no advantage.
> > * Public Key (RSA/DSA) - Use public key cryptography to negotiate a
> > connection. (When I'm not busy, I may decide to do this myself)
>
> SSL?
I'd use the OpenSSL libraries to implement it, but we're talking about
public key authentication here, not connection encryption.
--
Michael Samuel <michael(at)miknet(dot)net>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | markMLl.pgsql-general | 2001-07-12 08:02:03 | Re: 2 gig file size limit |
| Previous Message | Klaus Reger | 2001-07-12 05:05:56 | Re: Possible feature? |