On Apr 21, 2005, at 8:59 PM, Stephen Frost wrote:
* Paul Tillotson ([EMAIL PROTECTED]) wrote:
Maybe I misunderstood, but I thought that others were saying that, if someone gets the contents of pg_shadow, then
- if you use only "password" in your pg_hba.conf, he has to break one of
the hashes first in order to log in.
- but if you use "md5" in your pg_hba.conf, then he doesn't have to
break the hashes at all.
(in order to authenticate to your Postgres installation as a given user)
Is this correct?
Yes, this is correct.
I guess I personally felt "betrayed" when I heard this since I (naively)
Me too. :/
assumed that the point of hashing passwords was to make it so that
someone who is able to read your database is prevented from logging in
and corrupting the data, installing root-kits, etc.
The hash in pg_shadow should only be visible to the database superuser,
or someone who has access to the unix account postgres runs as.
Now I see that the point of md5 authenticate is to address an entirely
different problem, namely, having the cleartext password being captured
on the wire.
The intention of the 'md5' method in pg_hba.conf is to avoid having the
password go over the network in the clear, yes. Unfortunately, this
pretty much requires that the database have something which is
password-equivilant stored on disk.
Wouldn't it be possible for postgres to rehash the md5 checksum of the
password before storing it in pg_shadow? This seems preferable if not optimal.
Does anyone know why this is not being done?
Thanks,
Stephen
Thanks,
Eliot Simcoe
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
