From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Michael Samuel <michael(at)miknet(dot)net> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Re: Encrypting pg_shadow passwords |
Date: | 2001-07-11 03:32:00 |
Message-ID: | 200107110332.f6B3W0o02569@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On Tue, Jun 26, 2001 at 11:02:15AM -0400, Bruce Momjian wrote:
> > This is the first time I am hearing people are more concerned about
> > pg_shadow security than the wire security. I can see cases where people
> > are on secure networks or are using only local users where having
> > pg_shadow encrypted is more important than crypt authentication.
> > Fortunately the new system will solve both problems.
>
> The crypt authentication currently used offers _no_ security. If I can
> sniff on the wire, I can hijack the tcp stream, and trick the client
> into doing password authentication.
It is my understanding that sniffing is much easier than hijacking. If
hijacking is a concern, you have to use SSL.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Justin Clift | 2001-07-11 03:32:10 | Re: Performance tuning for linux, 1GB RAM, dual CPU? |
Previous Message | Michael Samuel | 2001-07-11 03:24:53 | Re: Re: Encrypting pg_shadow passwords |