From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Benjamin Adida <ben(at)mit(dot)edu>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
Date: | 2000-05-06 18:50:59 |
Message-ID: | 200005061850.OAA20497@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
> > The additional random salt prevents someone from sniffing
> > the communication between client and server and then simply log in by
> > sending the known hash of the password. The challenge-response means that
> > sniffing one login doesn't allow you to fake the next one.
>
> How so? The server sends out one fixed salt (the one stored for that
> user's password in pg_shadow) and one randomly-chosen salt. The client
> sends back two crypted passwords. The server can check one of them.
> What can it do with the other? Nothing that I can see, so where is the
> security gain? A sniffer can still get in by sending back the same
> pair of crypted passwords next time, no matter what random salt is
> presented.
No, you crypt the user-supplied password twice.
'fred' -> crypt with fixed -> crypt with random
Server does:
pg_shadow password -> crypt with random
Then check to see they match.
Does that help?
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-06 18:51:25 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Tom Lane | 2000-05-06 18:43:37 | Re: You're on SecurityFocus.com for the cleartext passwords. |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-06 18:51:25 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Tom Lane | 2000-05-06 18:43:37 | Re: You're on SecurityFocus.com for the cleartext passwords. |