| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: crypt auth |
| Date: | 2008-10-20 14:14:18 |
| Message-ID: | 48FC923A.5080402@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander wrote:
> I notice our docs have:
>
> If you are at all concerned about password
> <quote>sniffing</> attacks then <literal>md5</> is preferred, with
> <literal>crypt</> to be used only if you must support pre-7.2
> clients. Plain <literal>password</> should be avoided especially for
>
>
> At what point do we just remove the support and say that people need to
> upgrade their clients? Sure, it's up to ppl not to configure it that
> way, but security-wise it's a foot-gun that I think is completely
> unnecessary.
AFAICT, removing an authentication method requires a protocol version
bump. If you think it is worth dealing with those complications, then
go for it. I think it might be worth it.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Teodor Sigaev | 2008-10-20 14:24:09 | Re: Index use during Hot Standby |
| Previous Message | Simon Riggs | 2008-10-20 13:42:06 | Re: Block level concurrency during recovery |