From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | oleg yusim <olegyusim(at)gmail(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Session Identifiers |
Date: | 2015-12-20 17:40:41 |
Message-ID: | CAFj8pRB7-+6C04f3xLB6G2EhZ3CiTHk-8CsSyaWbcx-P-PYgHg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
2015-12-20 18:37 GMT+01:00 oleg yusim <olegyusim(at)gmail(dot)com>:
> Tom,
>
> I understand the idea that for external communication you rely on SSL.
> However, how about me opening psql prompt into the database directly from
> my Linux box, my db is installed at? I thought, it would be considered
> local connection and would not go through the SSL channels. If that is the
> case, here we would be dealing with Session IDs belonging to DB itself, not
> OpenSSL.
>
all necessary data are stored local in process memory. No session ID is
required.
Pavel
>
> Please, correct me if I'm wrong.
>
> Thanks,
>
> Oleg
>
> On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> oleg yusim <olegyusim(at)gmail(dot)com> writes:
>> > Got it, thanks... Now, is it any protection in place currently against
>> > replacing Session ID (my understanding, it is kept in memory, belonging
>> to
>> > the session process) or against guessing Session ID (i.e. is Session ID
>> > generated using FIPS 140-2 compliant algorithms, or anything of that
>> sort)?
>>
>> I don't think Postgres even has any concept that matches what you seem
>> to think a Session ID is.
>>
>> If you're looking for communication security/integrity checking, that's
>> something we leave to other software such as SSL.
>>
>> regards, tom lane
>>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | oleg yusim | 2015-12-20 17:45:26 | Re: Session Identifiers |
Previous Message | oleg yusim | 2015-12-20 17:38:13 | Re: Session Identifiers |