Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org, bugtraq(at)securityfocus(dot)com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-20 19:44:09
Message-ID: 20050420194409.GR29028@ns.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* David F. Skoll (dfs(at)roaringpenguin(dot)com) wrote:
> Stephen Frost wrote:
> > The md5 hash which is generated for and stored in pg_shadow does not
> > use a random salt but instead uses the username which can generally be
> > determined ahead of time (especially for the 'postgres' superuser
> > account).
>
> I noted that this was a problem back in August, 2002:
>
> http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php
>
> Then, as now, the developers weren't very concerned.

I have some hopes that pointing out the rather large problem with the
md5 authentication mechanism in pg_hba.conf will lead them to discourage
it's use and thus reduce the occourances of the salt being made
available to the user giving more weight to the usefullness of having it
be a random salt. Additionally, it's been a few years, perhaps
viewpoints have changed.

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2005-04-20 19:51:23 Re: Problem with PITR recovery
Previous Message David F. Skoll 2005-04-20 19:36:53 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords