| From: | MURAT KOÇ <m(dot)koc21(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Changing Passwords as Encrypted not Clear-Text |
| Date: | 2011-12-19 13:01:28 |
| Message-ID: | CAA4y46zhEcrK=j=V-euQAERU4tk8TyyhhiQNSnPx2OvkSQF7QQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi List,
When I try to change my db password like below SQL statement from psql or
pgAdmin tool, it outputs to server logs as like this:
*postgres=# alter user mkoc password 'dummy';
ALTER ROLE
postgres=# alter user mkoc with password 'dummy';
ALTER ROLE
*
### Server Logs ###
2011-12-19 14:35:31
EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
user mkoc password 'dummy';
2011-12-19 14:35:41
EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
user mkoc with password 'dummy';
So, an OS user who can access to server log files can read DB users'
clear-text passwords from these logs. In my opinion, this is a big security
gap.
I don't want to see these changing password logs in clear-text. These
logs must be encrypted passwords instead of clear-text like below:
*Server Logs must be;
*2011-12-19 14:35:31
EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
user mkoc password *values 'XFADIT9248fDSKFD';*
**
Is it possible to see changing passwords as encrypted? How should I change
password or what is the correct sql statement to change user password?
Best Regards,
Murat KOC
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Merlin Moncure | 2011-12-19 13:02:19 | Re: Logical Aggregate Functions (eg ANY()) |
| Previous Message | Filip Rembiałkowski | 2011-12-19 12:36:09 | Re: segfault with plproxy |