From: | Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> |
---|---|
To: | Jim Mercer <jim(at)reptiles(dot)org>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Encrypting pg_shadow passwords |
Date: | 2001-06-25 06:34:51 |
Message-ID: | 3.0.5.32.20010625143451.00841620@192.228.128.13 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
At 12:51 AM 26-06-2001 -0400, Jim Mercer wrote:
>my mods are server-side only.
>
>to rewind a bit.
>
>my mods correct this by doing:
>
>with an AUTH_ARGUMENT == "pg_shadow", the process is:
>tmp_pwd = crypt(client->passwd, pg_shadow->passwd)
>if strcmp(tmp_pwd, pg_shadow->passwd) == 0
> access allowed
>else
> access not allowed
>
>this is not so much an enhancement, but a correction of what i think the
>original "password" authentication scheme was supposed to allow.
>
Yep it's a correction. pg_shadow shouldn't have been in plaintext in the
first place.
host all 127.0.0.1 255.255.255.255 password
should have meant check crypted passwords in pg_shadow.
Given your suggestion, what happens when someone does an ALTER USER ...
WITH PASSWORD ....?
Might it be too late to do a fix?
HMAC sounds interesting. What would the impact be on stuff like Pg DBD?
Cheerio,
Link.
From | Date | Subject | |
---|---|---|---|
Next Message | Zeugswetter Andreas SB | 2001-06-25 10:12:42 | AW: [PATCH] Re: Setuid functions |
Previous Message | Barry Lind | 2001-06-25 06:08:33 | Re: [HACKERS] JDBC adaptor issue |