From: | Lincoln Yeoh <lylyeoh(at)mecomb(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jim Mercer <jim(at)reptiles(dot)org> |
Cc: | David Duddleston <david(at)i2a(dot)com>, pgsql-general(at)hub(dot)org |
Subject: | Re: PostgreSQL cleartext passwords |
Date: | 2000-05-19 01:49:07 |
Message-ID: | 3.0.5.32.20000519094907.0087ed30@pop.mecomb.po.my |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
At 05:38 PM 18-05-2000 -0400, Tom Lane wrote:
>Not so! "crypt" authentication provides for sending passwords in
>crypted form during login (which is good if you're afraid of password-
>sniffers, but then maybe you should be using SSL to protect your whole
>session, not only the password). But it doesn't change the contents
>of pg_shadow.
But if someone sniffs the crypted form, won't they be able to reuse it?
What's there to prevent reuse of the crypted form? If there's nothing to
prevent that, I do not see any benefit of the crypt method, it's just a
waste of time.
I never really understood the postgresql crypt password mode- if it was
what I understood it to be, it was pretty much useless. In the end I stuck
to plaintext passwords, easier for me to understand.
>BTW, there is no particularly good reason to be storing passwords in
>the Postgres database at all --- you can instead use Kerberos
>authentication, or perhaps "ident" authentication (though ident is
>only OK if logins are only accepted from machines whose sysadmins you
>trust, since ident is easily faked on an insecure machine).
That probably means that ident is easily faked on most machines :).
I figure it's probably better to have a secure net (switched perhaps). If
external insecure machines need to use stuff in the secure net, there
should be a dedicated VPN or SSL server for that purpose.
Cheerio,
Link.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-05-19 01:59:41 | Re: PostgreSQL cleartext passwords |
Previous Message | Tom Lane | 2000-05-19 01:40:54 | Re: Am I really stupid??? |