Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

Brett McCormick <brett@work.chicken.org>

From: Brett McCormick <brett@work.chicken.org>
To: ocie@paracel.com
Cc: maillist@candle.pha.pa.us (Bruce Momjian), scrappy@hub.org, jwieck@debis.com, Andreas.Zeugswetter@telecom.at, pgsql-hackers@hub.org
Date: 1998-02-20T03:03:55Z
Lists: pgsql-hackers
What about a public/private key mechanism, like ssh?

On Thu, 19 February 1998, at 15:25:56, ocie@paracel.com wrote:

> Standard salt is two characters, so an adversary might be able to
> watch and record which salts produced which replies.  Even with a
> single login, a brute force attack might still be able to get the
> user's password.  A stronger challenge-response system might be more
> secure.  It should be possible for the server to authenticate a user
> without having to store the user's password.
> 
> Then again, this is all starting to sound like Kerberos, so if
> Postgres had Kerberos authentication (which I think it does), then
> this could be used for the ultra-high security authentication system.
> 
> Ocie Mitchell