Thread

  1. Re: Encrypting pg_shadow passwords

    Jim Mercer <jim@reptiles.org> — 2001-06-26T04:51:21Z

    On Tue, Jun 26, 2001 at 12:36:43AM -0400, Bruce Momjian wrote:
    > > > The big problem is that when we make a change we have to also talk to
    > > > old clients to you would have a pretty complex setup to have 'password'
    > > > encryption passing the same crypt over the wire all the time.  If not,
    > > > why not use 'crypt' authentication.
    > > 
    > > i don't understand the objection to my mods.
    > > 
    > > crypt authentication requires plain-text passwords stored in pg_shadow.
    > > 
    > > my stand is that this is not a good idea.
    > > 
    > > my mods in no way break any existing code, and add another variant on the
    > > existing auth schemes.
    > > 
    > > i think that any evolution of the auth schemes should depreciate the older
    > > methods, but that backwards compatibility needs to be maintained, even
    > > if the code is disabled by default, and needs a --enable to turn it back on.
    > 
    > OK, your mods are going to have to propogate to all clients.  Older
    > clients can't use this scheme,
    
    my mods are server-side only.
    
    to rewind a bit.
    
    the existing implementation of:
    
    host dbname ipaddr netmask password
    
    says:
    
    #   password:   Authentication is done by matching a password supplied
    #           in clear by the host. If AUTH_ARGUMENT is specified then
    #           the password is compared with the user's entry in that   
    #           file (in the $PGDATA directory).  These per-host password 
    #       files can be maintained with the pg_passwd(1) utility.
    #       If no AUTH_ARGUMENT appears then the password is compared
    #       with the user's entry in the pg_shadow table.
    
    this description is a tad misleading.
    
    with an AUTH_ARGUMENT, the process is:
    tmp_pwd = crypt(client->passwd, AUTH_ARGUMENT->passwd)
    if strcmp(tmp_pwd, AUTH_ARGUMENT->passwd) == 0
       access allowed
    else
       access not allowed
    
    without an AUTH_ARGUMENT, the process is:
    if strcmp(client->passwd, pg_shadow->passwd) == 0
       access allowed
    else
       access not allowed
    
    my mods correct this by doing:
    
    with an AUTH_ARGUMENT == "pg_shadow", the process is:
    tmp_pwd = crypt(client->passwd, pg_shadow->passwd)
    if strcmp(tmp_pwd, pg_shadow->passwd) == 0
       access allowed
    else
       access not allowed
    
    this is not so much an enhancement, but a correction of what i think the
    original "password" authentication scheme was supposed to allow.
    
    > and once we have double-encryption, what advantage does this have?
    
    once we have it, cool. as long as the passwords are not stored plain-text.
    
    -- 
    [ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
    [ Now with more and longer words for your reading enjoyment. ]