Re: odbc - ssl: how-to-do-it. - Mailing list pgsql-odbc

From Dave Page
Subject Re: odbc - ssl: how-to-do-it.
Date
Msg-id 03AF4E498C591348A42FC93DEA9661B83AF0DB@mail.vale-housing.co.uk
Whole thread Raw
In response to odbc - ssl: how-to-do-it.  ("John K. Herreshoff" <jkherr@centurytel.net>)
List pgsql-odbc

> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: 29 May 2003 14:57
> To: Dave Page
> Cc: Clay Luther; John K. Herreshoff; pgsql-odbc@postgresql.org
> Subject: Re: [ODBC] odbc - ssl: how-to-do-it.
>
>
> "Dave Page" <dpage@vale-housing.co.uk> writes:
> >> Is there any way/what are the ways to secure the passwords
> >> sent by the PGODBC driver to the DB?
>
> > Use md5 passwords. It won't prevent a replay attack, but at
> least they
> > won't be plain text.
>
> Actually md5 does make a replay attack substantially harder.
> What goes over the wire is an md5 checksum of the cleartext
> password plus username plus a 4-byte salt chosen on-the-fly
> by the server.  So a replay attacker would have to be lucky
> enough to be challenged with the same salt he'd seen used before.

Ahh, I thought it sent just the password checksum and compared it to the
md5 checksum in pg_shadow - thanks.

Regards, Dave.

pgsql-odbc by date:

Previous
From: Tom Lane
Date:
Subject: Re: odbc - ssl: how-to-do-it.
Next
From: Chris Gamache
Date:
Subject: Re: ODBC 703001 crashes IIS