Thread

  1. Re: Encrypting pg_shadow passwords

    Jim Mercer <jim@reptiles.org> — 2001-06-26T04:01:03Z

    On Mon, Jun 25, 2001 at 11:48:32PM -0400, Bruce Momjian wrote:
    > OK, I get you now.  Why not ask the client to do a crypt and compare
    > that to pg_shadow.  It is better than what we have now for 'password'
    > authentication because it encrypts pg_shadow.
    > 
    > The big problem is that you can't do 'crypt' authentication once you
    > encrypt pg_shadow, unless we do the double-encription thing, and I think
    > it is a bigger win for them to use crypt-authentication than to encrypt
    > pg_shadow.
    
    my mods do not require encryption of pg_shadow, unless you want to use
    my "password pg_shadow" extension.  it is then the responsibility of the
    dbadmin to do "CREATE USER username WITH PASSWORD '$1$xxxxxx';
    (i have a unix_crypt(text, text) function i can put in contrib, as well
    as samba_lm_crypt(text) and samba_nt_crypt(text) for anyone interested)
    
    the current code (without my mods) requires the dbadmin to either play
    the lottery and store all passwords in plain-text, or to manipulate
    external password files, which causes all manner of issues with regards
    to updating (changing) the passwords in the external files.
    
    > The wire is clearly less secure than pg_shadow.
    
    ah, you've not had a client rooted lately.
    
    the wire is far more secure than many default OS installations.
    
    i will not argue that the double-encryption stuff, and MD5 type stuff is
    better.
    
    however, forcing the dbadmin to store plain-text passwords in pg_shadow
    is at best unwise.
    
    giving them the option of my mods is a reasonable step towards allowing
    them to avoid that one-stop-shopping facility for crackers, without breaking
    any existing implementations for those who chose to walk what i consider
    an unsafe path.
    
    -- 
    [ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
    [ Now with more and longer words for your reading enjoyment. ]