mlw wrote: > >The comments at the top suggest sniffing a Postgres session startup > >exchange in order to see the MD5 value that the user presents; which the > >attacker would then give to this program. (Forget it if the session is > >Unix-local rather than TCP, or if it's SSL-encrypted...) > > > >This is certainly a theoretically possible attack against someone who > >has no clue about security, but I don't put any stock in it as a > >practical attack. For starters, if you are talking to your database > >across a network that is open to hostile sniffers, you should definitely > >be using SSL. > > > > > This is absolutely correct, shouldn't this be in the FAQ?
Well, this is a pretty rare issue, so it doesn't seem like an FAQ. People need to understand the ramifications of the various pg_hba.conf settings, and I think our documentation does that. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]