Re: You're on SecurityFocus.com for the cleartext passwords.

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Benjamin Adida <ben(at)mit(dot)edu>
Cc: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.
Date: 2000-05-06 18:29:22
Message-ID: 11055.957637762@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

Benjamin Adida <ben(at)mit(dot)edu> writes:
>> It doesn't sound like MD5 changes this at all.

> The MD5 definitely doesn't change anything except overall security strength
> of the algorithm.

OK, understood. So it seems that switching to MD5 would offer (a) more
portability to platforms without crypt(3), and (b) better security,
at the costs of (a) implementation effort and (b) cross-version
compatibility problems. We probably ought to keep that discussion
separate from the one about how the challenge protocol works.

> The additional random salt prevents someone from sniffing
> the communication between client and server and then simply log in by
> sending the known hash of the password. The challenge-response means that
> sniffing one login doesn't allow you to fake the next one.

How so? The server sends out one fixed salt (the one stored for that
user's password in pg_shadow) and one randomly-chosen salt. The client
sends back two crypted passwords. The server can check one of them.
What can it do with the other? Nothing that I can see, so where is the
security gain? A sniffer can still get in by sending back the same
pair of crypted passwords next time, no matter what random salt is
presented.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Benjamin Adida 2000-05-06 18:32:24 Re: You're on SecurityFocus.com for the cleartext passwords.
Previous Message Robert B. Easter 2000-05-06 18:26:09 Re: You're on SecurityFocus.com for the cleartext passwords.

Browse pgsql-hackers by date

  From Date Subject
Next Message Benjamin Adida 2000-05-06 18:32:24 Re: You're on SecurityFocus.com for the cleartext passwords.
Previous Message Robert B. Easter 2000-05-06 18:26:09 Re: You're on SecurityFocus.com for the cleartext passwords.