On Wed, Oct 19, 2011 at 1:07 AM, Olaf van der Spek <[email protected]> wrote: > On Tue, Oct 18, 2011 at 11:43 PM, Henrik Ingo <[email protected]> > wrote: >> # Note that auth_pam authentication will send your password >> unencrypted over the network! >> # You should only use this kind of login as a convenience when using >> localhost, otherwise >> # it is very insecure! Consider commenting out this line on production >> servers that don't need it. > > That's a recipe for disaster.
It depends what you compare against. MySQL always shipped with root having empty password. Drizzle ships with no authentication at all. Allowing users to log in with their system username and password by default would be a great improvement in security in most cases. If drizzle client regains SSL support in the future, the above could be combined with mandatory SSL connections by default, ie you then use both SSL and auth_pam, or you comment away both of them. But even without SSL, there are good arguments to promote auth_pam as it is better than shipping with no authentication or empty root password. > The code could be moved from the C++ to the C API. If that could happen some time in the future, I'm sure it will be used. There's no urgency to it, just that I was documenting auth_pam tonight and saw this as a usability issue to raise. henrik -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
