Thread

  1. Re: Encrypting pg_shadow passwords

    Jim Mercer <jim@reptiles.org> — 2001-06-26T04:38:24Z

    On Tue, Jun 26, 2001 at 12:20:40AM -0400, Bruce Momjian wrote:
    > We will do double-crypt and everyone will be happy, right?
    > 
    > > if the API as above existed, then i would be happy to see "password" go away
    > > (although it should be depreciated to a --enable option, otherwise you are
    > > going to ruin a bunch of existing code).
    > 
    > Who is using it?  We can continue to allow it but at some point there is
    > no purpose to it unless you have clients that are pre-7.2.  Double-crypt
    > removes the use for it, no?
    
    if the API allows a plain text password, and compares agains a cyrtpo-pg_shadow
    i would imagine that would be fine.
    
    at this point i should apologize for possibly arguing out of turn.
    
    if 7.2 has the above, that is cool.
    
    i'm sorta hoping my mods can make it into 7.1.3, if there is one.
    
    > > i recognize that some of this can be done with the ident mapping facility,
    > > but again, that is an external file, and thus presents management issues.
    > 
    > Our authentication system is already too complex.  I would prefer not to
    > make it more so.  The more complex, the more mistakes admins make.
    
    understood, but you were asking for comments.  8^)
    
    -- 
    [ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
    [ Now with more and longer words for your reading enjoyment. ]