Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Greg Stark <gsstark(at)mit(dot)edu>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-22 03:03:41
Message-ID: 87r7h3bjhu.fsf@stark.xeocode.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost <sfrost(at)snowman(dot)net> writes:

> With the 'md5' method the server will send will send a randomly
> generated salt to the client which will then concatenate the user's name
> to the password, perform an md5 on that result, then concatenate the
> result of the md5 to the salt provided by the server and will then md5
> that.

I think that in this case calling it a salt altogether is wrong. It's a
"challenge".

And I'm inclined to suggest that this authentication method be removed
altogether. The security flaw is that it exists at all. Not the details of the
implementation.

--
greg

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2005-04-22 03:15:16 Re: Proposal for background vacuum full/cluster
Previous Message Stephen Frost 2005-04-22 00:59:45 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords