From: | Louis Bertrand <louis(at)bertrandtech(dot)on(dot)ca> |
---|---|
To: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Gene Sokolov <hook(at)aktrad(dot)ru>, pgsql-hackers(at)postgreSQL(dot)org |
Subject: | Password thread (was: Re: [HACKERS] Updated TODO list) |
Date: | 1999-07-15 17:45:50 |
Message-ID: | Pine.BSO.4.10.9907151657500.11086-100000@tronix.bertrandtech.on.ca |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Agreed: over the wire is _very_ important. The question remains: does the
pgsql development team want to take on the responsibility of implementing
such a scheme at the application layer? There are plenty of very good
link/network/transport layer schemes in existence already. You'd just
be reinventing.
In a benign environment you don't worry about securing the wire (as with
protocols like telnet/rlogin, ftp and POP/IMAP). In a more cautious
environment, you apply well-known and understood encryption/authentication
schemes at a layer below the application (IPsec, SSH, SSL, Java security,
Kerberos, and there are plenty in the Microsoft world too).
But above all: do not store passwords in cleartext. It makes it
ridiculously easy for an attacker to take over user accounts. Let's say
they're kiddies who cracked root just by using a widely available exploit,
then, for free, they get the rest of the passwords in clear. Bonus!
Ciao
--Louis <louis(at)bertrandtech(dot)on(dot)ca>
Louis Bertrand http://www.bertrandtech.on.ca
Bertrand Technical Services, Bowmanville, ON, Canada
Tel: +1.905.623.8925 Fax: +1.905.623.3852
OpenBSD: Secure by default. http://www.openbsd.org/
On Thu, 15 Jul 1999, Bruce Momjian wrote:
> > I agree with Gene. Following this discussion, I sense a reluctance to
> > implement stronger password schemes because of the extra development
> > hassles (compatibility, crypto prohibitions, maintenance).
> >
> > 1) Divide and conquer: the developers are concerned about both "over the
> > wire" and server passwords. I suggest you focus on the server side and
> > leave the over the wire security to the DB admin/sys.admin as an
> > installation issue. If they choose to use SSL, SSH, IPsec or a home-grown
> > authentication handshake, that's of no concern to pgsql. Just think of it
> > as a telnet session into the server.
> >
> > 2) On the server side, use the native crypt(3) by default (or the NT
> > equivalent) and store the password hash. The strength of the crypt will
> > vary depending on the installation, but that's really up to the choice of
> > OS and installation. If someone wants to patch for PAM, Kerberos or
> > whatever, that's fine too, as long as you can always revert back to the
> > plain old crypt(3).
> >
>
> I disagree. Over the wire seems more important than protecting the
> passwords from the eyes of the database administrator, which in _most_
> cases is the system owner anyway.
>
> --
> Bruce Momjian | http://www.op.net/~candle
> maillist(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 1999-07-15 19:09:57 | Re: [HACKERS] migration to v6.5 |
Previous Message | Michael J Schout | 1999-07-15 17:40:42 | migration to v6.5 |