Bruce Momjian wrote:
> Tom Lane wrote:
> > 2. Improve our documentation about how to set up mutual authentication
> > under SSL (it's a bit scattered now).
> >
> > 3. Recommend using mutual auth even for local connections, if a server
> > containing sensitive data is to be run on a machine that al
Tom Lane wrote:
> 2. Improve our documentation about how to set up mutual authentication
> under SSL (it's a bit scattered now).
>
> 3. Recommend using mutual auth even for local connections, if a server
> containing sensitive data is to be run on a machine that also hosts
> untrusted users.
>
>
Bruce Momjian wrote:
Mark Mielke wrote:
I agree - I forgot there were different flavours. I think any of these
are just as good as SSL with public key authentication, and perhaps a
lot cheaper in terms of performance. The only piece of information
missing is the uid to compare against, wh
Mark Mielke wrote:
> Gregory Stark wrote:
> > "Mark Mielke" <[EMAIL PROTECTED]> writes:
> >
> >> UNIX socket kernel credential passing was mentioned in an earlier post,
> >> but I
> >> didn't see it raised again.
> >>
> >
> > I mentioned getsockopt(SO_PEERCRED) which isn't the same as cre
Tomasz Ostrowski wrote:
> > Fundamentally these are man-in-the-middle attacks, and the only real
> > solution is mutual authentication.
>
> The problem is not many people expect man-in-the-middle attack on
> secure lan, localhost or local socket connection, so they'll not try
> to prevent it.
Agr
Mike Rylander wrote:
> On Dec 22, 2007 1:04 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
> > Peter Eisentraut <[EMAIL PROTECTED]> writes:
> > > Wouldn't SSL work over Unix-domain sockets as well? The API only deals
> > > with
> > > file descriptors.
> >
> > Hmm ... we've always thought of SSL as being
Gregory Stark wrote:
"Mark Mielke" <[EMAIL PROTECTED]> writes:
UNIX socket kernel credential passing was mentioned in an earlier post, but I
didn't see it raised again.
I mentioned getsockopt(SO_PEERCRED) which isn't the same as credential
passing. It just tells you what uid is on the