Re: You're on SecurityFocus.com for the cleartext passwords.

On Sat, 6 May 2000, Bruce Momjian wrote:

> > > Now, I we want to move all the stuff to use MD5 rather than the standard
> > > unix password crypt, that is another option, though I am not sure what
> > > value it would have.
> > >
> > >
> >
> > How about ODBC? This is from the ODBC driver source connection.c:
> >
> > self->errormsg = "Password crypt authentication not supported";
> >
> > Is that because of the platform it's running on or what it's talking
> > to?
>
> Seems we don't have crypt support, so you can't send crypt passwords
> from an ODBC client. That is news to me.
>
> >From looking there, and looking at pg_hba.conf, we have both 'password'
> and 'crypt' authentication in there.
>
> However, this is not a problem because we can still do backend-only
> crypting when comparing client-sent cleartext passwords to pg_shadow
> passwords.

But what I'm proposing will let ALL clients send an encrypted password
over the wire and we can also store them encrypted. By comparing twice
we can maintain backward compatibility. The backend would compare the
password received with the stored md5 password and compare the received
password after md5ing it in case it was sent clear-text.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================