| From: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: MD5 authentication needs help |
| Date: | 2015-03-05 20:09:33 |
| Message-ID: | 54F8B7FD.8070706@BlueTreble.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 3/4/15 2:56 PM, Stephen Frost wrote:
>> 2) The per-session salt sent to the client is only 32-bits, meaning
>> >that it is possible to reply an observed MD5 hash in ~16k connection
>> >attempts.
> Yes, and we have no (PG-based) mechanism to prevent those connection
> attempts, which is a pretty horrible situation to be in.
Is there some reason we don't just fix that? I'm thinking that this is a
special case where we could just modify the pg_auth tuple in-place
without bloating the catalog (we already do that somewhere else). Is
there something else that makes this difficult? Are we afraid of an
extra GUC to control it?
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-03-05 20:17:56 | Re: MD5 authentication needs help |
| Previous Message | Stephen Frost | 2015-03-05 17:23:28 | Re: deparsing utility commands |