From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Benjamin Adida <ben(at)mit(dot)edu>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
Date: | 2000-05-06 20:19:14 |
Message-ID: | 200005062019.QAA22688@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> >> Probably the way to attack this would be to combine MD5 and this double
> >> password-munging algorithm as a new authentication protocol type to add
> >> to the ones we already support. That way old clients don't have to be
> >> updated instantly.
>
> > Not sure that will work because once we use md5 on the server side for
> > pg_shadow, we have to be able to do md5 on the client, I think, for
> > crypting because the md5 has to be done _before_ the random salt crypt.
>
> We can still support old clients under the cleartext-password protocol:
> client sends password in clear, server MD5's it using salt from
> pg_shadow and compares result. This is vulnerable to sniffing but no
> more so than it was before. What we would lose is backwards
> compatibility to the crypt-password protocol. We should still choose
> a new Authentication typecode for the MD5/double-hash protocol, just to
> make sure no one gets confused about which protocol is being requested.
Yes, got it. I was confused.
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-06 20:22:03 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Tom Lane | 2000-05-06 20:15:42 | Re: You're on SecurityFocus.com for the cleartext passwords. |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2000-05-06 20:20:56 | Passwords |
Previous Message | Tom Lane | 2000-05-06 20:15:42 | Re: You're on SecurityFocus.com for the cleartext passwords. |