Re: You're on SecurityFocus.com for the cleartext passwords.

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Vince Vielhaber <vev(at)michvhf(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.
Date: 2000-05-06 17:30:24
Message-ID: 200005061730.NAA18545@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

> On Sat, 6 May 2000, Bruce Momjian wrote:
>
> > > But what I'm proposing will let ALL clients send an encrypted password
> > > over the wire and we can also store them encrypted. By comparing twice
> > > we can maintain backward compatibility. The backend would compare the
> > > password received with the stored md5 password and compare the received
> > > password after md5ing it in case it was sent clear-text.
> >
> > But you can do that with our current system. Store them in pg_shadow
> > using unix password format. If a cleartext password comes in, crypt it
> > using the pg_shadow salt and compare them.
>
> You missed half of it. Platforms that don't have crypt would use our
> MD5 so eventually all of them would be sending encrypted passwords
> over the wire. I'm trying to accomplish two things here.

That is fine: We need crypted passwords in pg_shadow, and MD5 is
probably better than our current setup.

But we have tons of interfaces, all of which use the old stuff. If you
think you can do both at the same time, go ahead. MD5 has salt
capability, so you can move it right into our current client dialog
setup, and do double-MD5 as I suggested.

You still need double-MD5 because you have to crypt the password based
on the random salt passed to the client by the server. If you can make
the salt larger than 2 bytes at the same time, so much the better.

--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Gustavo Henrique 2000-05-06 17:54:59 performance
Previous Message Tom Lane 2000-05-06 17:29:01 Re: You're on SecurityFocus.com for the cleartext passwords.

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2000-05-06 18:14:13 Re: You're on SecurityFocus.com for the cleartext passwords.
Previous Message Tom Lane 2000-05-06 17:29:01 Re: You're on SecurityFocus.com for the cleartext passwords.