| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: crypt auth |
| Date: | 2008-10-27 11:11:26 |
| Message-ID: | 4905A1DE.5030102@hagander.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander wrote:
> I notice our docs have:
>
> If you are at all concerned about password
> <quote>sniffing</> attacks then <literal>md5</> is preferred, with
> <literal>crypt</> to be used only if you must support pre-7.2
> clients. Plain <literal>password</> should be avoided especially for
>
>
> At what point do we just remove the support and say that people need to
> upgrade their clients? Sure, it's up to ppl not to configure it that
> way, but security-wise it's a foot-gun that I think is completely
> unnecessary.
Here's a patch that does this. Will apply unless there are objections.
//Magnus
| Attachment | Content-Type | Size |
|---|---|---|
| cryptauth.patch | text/x-diff | 14.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-10-27 11:25:28 | Parsing errors in pg_hba.conf |
| Previous Message | Heikki Linnakangas | 2008-10-27 10:59:51 | Re: ERRORDATA_STACK_SIZE exceeded (server crash) |