| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords |
| Date: | 2005-04-22 03:17:18 |
| Message-ID: | 200504220317.j3M3HIu18664@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greg Stark wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
>
> > With the 'md5' method the server will send will send a randomly
> > generated salt to the client which will then concatenate the user's name
> > to the password, perform an md5 on that result, then concatenate the
> > result of the md5 to the salt provided by the server and will then md5
> > that.
>
> I think that in this case calling it a salt altogether is wrong. It's a
> "challenge".
>
> And I'm inclined to suggest that this authentication method be removed
> altogether. The security flaw is that it exists at all. Not the details of the
> implementation.
That idea is so detached from reality, I don't know how to respond.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Qingqing Zhou | 2005-04-22 03:29:27 | Re: Proposal for background vacuum full/cluster |
| Previous Message | Alvaro Herrera | 2005-04-22 03:15:16 | Re: Proposal for background vacuum full/cluster |