Re: You're on SecurityFocus.com for the cleartext passwords.

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Benjamin Adida <ben(at)mit(dot)edu>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.
Date: 2000-05-06 18:57:38
Message-ID: 200005061857.OAA20779@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

> Probably the way to attack this would be to combine MD5 and this double
> password-munging algorithm as a new authentication protocol type to add
> to the ones we already support. That way old clients don't have to be
> updated instantly.

Not sure that will work because once we use md5 on the server side for
pg_shadow, we have to be able to do md5 on the client, I think, for
crypting because the md5 has to be done _before_ the random salt crypt.

>
> OTOH, if the password stored in pg_shadow is MD5-encrypted, then we lose
> the ability to support the old crypt-based auth method, don't we?

Yes.

> Old clients could be successfully authenticated with cleartext password
> challenge (server MD5's the transmitted password and compares to
> pg_shadow), but we couldn't do anything with a crypt()-encrypted
> password. Is that enough reason to stay with crypt() as the underlying
> hashing engine? Maybe not, but we gotta consider the tradeoffs...

Not sure.

--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2000-05-06 19:06:53 Re: You're on SecurityFocus.com for the cleartext passwords.
Previous Message Tom Lane 2000-05-06 18:55:42 Re: You're on SecurityFocus.com for the cleartext passwords.

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2000-05-06 19:06:53 Re: You're on SecurityFocus.com for the cleartext passwords.
Previous Message Tom Lane 2000-05-06 18:55:42 Re: You're on SecurityFocus.com for the cleartext passwords.