| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Paul Tillotson <pntil(at)shentel(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Date: | 2005-04-21 18:23:37 |
| Message-ID: | 4267EFA9.50604@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost wrote:
>* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>
>
>>Stephen Frost <sfrost(at)snowman(dot)net> writes:
>>
>>
>>>I'd also like to point out that this is *only* an issue for the 'md5'
>>>authentication mechanism in pg_hba.conf, which I think should be=20
>>>discouraged in favor of 'password' and SSL/IPSEC.
>>>
>>>
>>This is still utter nonsense. How can md5 be less secure than storing
>>your password in the clear?
>>
>>
>
>I think you're mixing the issues. 'password' in pg_hba.conf does not
>automatically imply 'without encrypted password'/plaintext in pg_shadow.
>There are two seperate uses of md5 here and they counter each other.
>
>
>
The docs say: "only md5 supports encrypted passwords stored in
pg_shadow; the other two require unencrypted passwords to be stored
there." So either your assertion that 'password' auth does not imply
plaintext password storage is wrong, or the docs are.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2005-04-21 18:25:05 | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Previous Message | Stephen Frost | 2005-04-21 18:18:43 | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |