Re: Client-side password encryption

From: Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
To: Dave Page <dpage(at)vale-housing(dot)co(dot)uk>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgadmin-hackers(at)postgresql(dot)org
Subject: Re: Client-side password encryption
Date: 2005-12-18 16:07:04
Message-ID: 43A58928.3020408@pse-consulting.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-hackers pgsql-hackers

Dave Page wrote:
>
>
> -----Original Message----- From: pgadmin-hackers-owner(at)postgresql(dot)org
> on behalf of Peter Eisentraut Sent: Sun 12/18/2005 2:25 AM To:
> pgadmin-hackers(at)postgresql(dot)org Subject: [pgadmin-hackers] Client-side
> password encryption
>
>
>> Commands like CREATE USER foo PASSWORD 'bar' transmit the password
>> in cleartext and possibly save the password in various client or
>> server log files. I have just fixed this for psql and createuser
>> to encrypt the password on the client side. A quick check of the
>> pgadmin3 source code shows that you are also affected by this
>> issue. I ask you to check where you paste cleartext passwords into
>> SQL commands and change those to encrypt the password before
>> sending or storing it anywhere. The required function
>> pg_md5_encrypt() is contained in libpq.
>
>
> So did you just rip it from there into psql? I don't see it in the
> list of libpq exports so if thats not the case, on Windows at least
> we'll need to change the api, and possibly the dll name as well to
> avoid any compatibility issues.

And a prototype in libpq-fe.h wouldn't hurt either... And a macro, to
enable distinguishing md5-enabled libpq versions from older versions.

Regards,
Andreas

In response to

Responses

Browse pgadmin-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2005-12-19 01:32:39 Re: [pgadmin-hackers] Client-side password encryption
Previous Message Dave Page 2005-12-18 15:53:53 Re: Client-side password encryption

Browse pgsql-hackers by date

  From Date Subject
Next Message frank church 2005-12-18 21:12:05 Does VACUUM reorder tables on clustered indices
Previous Message Dave Page 2005-12-18 15:53:53 Re: Client-side password encryption