Re: Client-side password encryption

From: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
To: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, <pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: Client-side password encryption
Date: 2005-12-18 15:53:53
Message-ID: E7F85A1B5FF8D44C8A1AF6885BC9A0E4850814@ratbert.vale-housing.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-hackers pgsql-hackers

-----Original Message-----
From: pgadmin-hackers-owner(at)postgresql(dot)org on behalf of Peter Eisentraut
Sent: Sun 12/18/2005 2:25 AM
To: pgadmin-hackers(at)postgresql(dot)org
Subject: [pgadmin-hackers] Client-side password encryption

> Commands like CREATE USER foo PASSWORD 'bar' transmit the password in
> cleartext and possibly save the password in various client or server
> log files. I have just fixed this for psql and createuser to encrypt
> the password on the client side. A quick check of the pgadmin3 source
> code shows that you are also affected by this issue. I ask you to
> check where you paste cleartext passwords into SQL commands and change
> those to encrypt the password before sending or storing it anywhere.
> The required function pg_md5_encrypt() is contained in libpq.

So did you just rip it from there into psql? I don't see it in the list of libpq exports so if thats not the case, on Windows at least we'll need to change the api, and possibly the dll name as well to avoid any compatibility issues.

Regards, Dave.

Responses

Browse pgadmin-hackers by date

  From Date Subject
Next Message Andreas Pflug 2005-12-18 16:07:04 Re: Client-side password encryption
Previous Message Peter Eisentraut 2005-12-18 02:25:24 Client-side password encryption

Browse pgsql-hackers by date

  From Date Subject
Next Message Andreas Pflug 2005-12-18 16:07:04 Re: Client-side password encryption
Previous Message Andreas Pflug 2005-12-18 14:32:40 Re: Log of CREATE USER statement