| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | mlw <pgsql(at)mohawksoft(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Devrim GUNDUZ <devrim(at)tr(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL Password Cracker |
| Date: | 2003-01-01 23:09:35 |
| Message-ID: | 200301012309.h01N9ZO28410@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
mlw wrote:
> >The comments at the top suggest sniffing a Postgres session startup
> >exchange in order to see the MD5 value that the user presents; which the
> >attacker would then give to this program. (Forget it if the session is
> >Unix-local rather than TCP, or if it's SSL-encrypted...)
> >
> >This is certainly a theoretically possible attack against someone who
> >has no clue about security, but I don't put any stock in it as a
> >practical attack. For starters, if you are talking to your database
> >across a network that is open to hostile sniffers, you should definitely
> >be using SSL.
> >
> >
> This is absolutely correct, shouldn't this be in the FAQ?
Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
People need to understand the ramifications of the various pg_hba.conf
settings, and I think our documentation does that.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| From | Date | Subject | |
|---|---|---|---|
| Next Message | mlw | 2003-01-01 23:41:29 | Re: PostgreSQL Password Cracker |
| Previous Message | Tatsuo Ishii | 2003-01-01 23:06:05 | Re: Postgresql, unicode and umlauts |