Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
Brett McCormick <brett@work.chicken.org>
From: Brett McCormick <brett@work.chicken.org>
To: ocie@paracel.com
Cc: maillist@candle.pha.pa.us (Bruce Momjian), scrappy@hub.org, jwieck@debis.com, Andreas.Zeugswetter@telecom.at, pgsql-hackers@hub.org
Date: 1998-02-20T03:03:55Z
Lists: pgsql-hackers
What about a public/private key mechanism, like ssh? On Thu, 19 February 1998, at 15:25:56, ocie@paracel.com wrote: > Standard salt is two characters, so an adversary might be able to > watch and record which salts produced which replies. Even with a > single login, a brute force attack might still be able to get the > user's password. A stronger challenge-response system might be more > secure. It should be possible for the server to authenticate a user > without having to store the user's password. > > Then again, this is all starting to sound like Kerberos, so if > Postgres had Kerberos authentication (which I think it does), then > this could be used for the ultra-high security authentication system. > > Ocie Mitchell