Re: You're on SecurityFocus.com for the cleartext passwords.

> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> >> Probably the way to attack this would be to combine MD5 and this double
> >> password-munging algorithm as a new authentication protocol type to add
> >> to the ones we already support. That way old clients don't have to be
> >> updated instantly.
>
> > Not sure that will work because once we use md5 on the server side for
> > pg_shadow, we have to be able to do md5 on the client, I think, for
> > crypting because the md5 has to be done _before_ the random salt crypt.
>
> We can still support old clients under the cleartext-password protocol:
> client sends password in clear, server MD5's it using salt from
> pg_shadow and compares result. This is vulnerable to sniffing but no
> more so than it was before. What we would lose is backwards
> compatibility to the crypt-password protocol. We should still choose
> a new Authentication typecode for the MD5/double-hash protocol, just to
> make sure no one gets confused about which protocol is being requested.

Yes, got it. I was confused.

--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026