Greetings, * Bruce Momjian (br...@momjian.us) wrote: > On Wed, Mar 2, 2022 at 10:09:31AM -0500, Stephen Frost wrote: > > I'm not sure that it's quite so simple. Perhaps we should also drop > > LDAP and I don't really think PAM was ever terribly good for us to have, > > but at least PAM and RADIUS could possibly be used with OTP solutions > > (and maybe LDAP? Not sure, don't think I've seen that but perhaps..), > > rendering sniffing of what's transmitted less valuable. We don't > > support that for 'password' itself or for 'md5' in any serious way > > though. > > I thought all the plain-password methods were already using SSL > (hopefully with certificate authentication) and they were therefore > safe. Why would we remove something like LDAP if that is what the site > is already using?
We don't require SSL to be used with them..? Further, as already discussed on this thread, SSL only helps with on-the-wire, doesn't address the risk of a compromised server. LDAP, in particular, is terrible in this regard because it's a centralized password system, meaning that one compromised server will lead to an attacker gaining full access to the victim's account throughout the enterprise. Thanks, Stephen
signature.asc
Description: PGP signature