Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL Password Cracker

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: mlw <pgsql(at)mohawksoft(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Devrim GUNDUZ <devrim(at)tr(dot)net>,pgsql-hackers(at)postgresql(dot)org
Subject: Re: PostgreSQL Password Cracker
Date: 2003-01-01 23:09:35
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
mlw wrote:
> >The comments at the top suggest sniffing a Postgres session startup
> >exchange in order to see the MD5 value that the user presents; which the
> >attacker would then give to this program.  (Forget it if the session is
> >Unix-local rather than TCP, or if it's SSL-encrypted...)
> >
> >This is certainly a theoretically possible attack against someone who
> >has no clue about security, but I don't put any stock in it as a
> >practical attack.  For starters, if you are talking to your database
> >across a network that is open to hostile sniffers, you should definitely
> >be using SSL.
> >  
> >
> This is absolutely correct, shouldn't this be in the FAQ?

Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
People need to understand the ramifications of the various pg_hba.conf
settings, and I think our documentation does that.

  Bruce Momjian                        |
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to


pgsql-hackers by date

Next:From: mlwDate: 2003-01-01 23:41:29
Subject: Re: PostgreSQL Password Cracker
Previous:From: Tatsuo IshiiDate: 2003-01-01 23:06:05
Subject: Re: Postgresql, unicode and umlauts

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group