Re: Open 7.3 items

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>
Cc: Ron Snyder <snyder(at)roguewave(dot)com>, Neil Conway <nconway(at)klamath(dot)dyndns(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Open 7.3 items
Date: 2002-08-01 02:48:40
Message-ID: 200208010248.g712meJ20350@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Marc G. Fournier wrote:
> On Wed, 31 Jul 2002, Bruce Momjian wrote:
>
> > Marc G. Fournier wrote:
> > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
> > >
> > > > Ron Snyder wrote:
> > > > > >
> > > > > > Yes, is that your pg_hba.conf line? 'password' is insecure over
> > > > > > networks you don't trust.
> > > > >
> > > > > Yes, we're using 'password password' in our pg_hba.conf file. I trust my
> > > > > network (so far).
> > > >
> > > > That is another major limitation to secondary password files. In fact,
> > > > md5 will not even work because we assume the username is used as the
> > > > salt for the md5 encryption. We don't store the salt as part of the
> > > > encrypted password like crypt does.
> > > >
> > > > This was another reason secondary password files were discouraged.
> > >
> > > discouraged?? where? :)
> >
> > Well. I meant that they had very limited usefulness. You had to trust
> > your network.
>
> that is the case for alot of software, and alot of networks nowadays are
> moving towards encrypted at the switch level, so the local network itself
> is considered to be 'secure' ...
>
> But, personally, you sooooooo sold me on that GUC thing that if we could
> implement that in time for v7.3, I think alot of ppl would find that
> *quite* valuable ...
>

I am working on it now. I decided against doing any kind of database
prepending at the user level. You create the user as 'dbname.username'.
That is clearer, rather than prepending based on the db you are
connected to. The only code change is in the postmaster authentication
lookup and ownership setting from the backend connection.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2002-08-01 02:48:46 Another quick question...
Previous Message Marc G. Fournier 2002-08-01 02:44:33 Re: Open 7.3 items