Re: What goes into the security doc?

Robert Treat wrote:
> I'm not sure how adequately these topics are covered elsewhere, but you
> should probably provide at least a pointer if not improved information:
>
> * Should have a mention of the pgcrypto code in contrib.
>
> * Brain hiccup, but isn't there some type of "password" datatype

It is in /contrib as chkpass:

Chkpass is a password type that is automatically checked and converted upon
entry. It is stored encrypted. To compare, simply compare agains a clear
text password and the comparison function will encrypt it before comparing.
It also returns an error if the code determines that the password is easily
crackable. This is currently a stub that does nothing.

I haven't worried about making this type indexable. I doubt that anyone
would ever need to sort a file in order of encrypted password.

If you precede the string with a colon, the encryption and checking are
skipped so that you can enter existing passwords into the field.

On output, a colon is prepended. This makes it possible to dump and reload
passwords without re-encrypting them. If you want the password (encrypted)
without the colon then use the raw() function. This allows you to use the
type with things like Apache's Auth_PostgreSQL module.

D'Arcy J.M. Cain
darcy(at)druid(dot)net

The document is a good idea, and the initdb -W item is good too!

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073