Re: Log of CREATE USER statement - Mailing list pgsql-hackers

From Joshua D. Drake
Subject Re: Log of CREATE USER statement
Date
Msg-id 1134152496.28319.3.camel@jd.commandprompt.com
Whole thread Raw
In response to Re: Log of CREATE USER statement  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-hackers
On Fri, 2005-12-09 at 13:03 -0500, Bruce Momjian wrote:
> Tom Lane wrote:
> > Peter Eisentraut <peter_e@gmx.net> writes:
> > > Users who choose a password 
> > > should have the assurance that the password cannot be seen in 
> > > plain-text by anyone anywhere.  In a PostgreSQL system, the password 
> > > can be seen in all kinds of places, like the psql history, the server 
> > > log, the activity displays, and who knows where else.
> > 
> > As I said already, if the user wishes the password to be secure, he
> > needs to encrypt it on the client side.  Anything else is just the
> > illusion of security.
> 
> Should we document this?

That is a good question. One argument is, no. It should be fairly
obvious that if you don't turn on SSL then nothing is going to be
encrypted.

The other argument is that we should be explicit as possible...

Sincerely,

Joshua D. Drake


-- 
The PostgreSQL Company - Command Prompt, Inc. 1.503.667.4564
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Managed Services, Shared and Dedicated Hosting
Co-Authors: PLphp, PLperl, ODBCng - http://www.commandprompt.com/




pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Log of CREATE USER statement
Next
From: Martijn van Oosterhout
Date:
Subject: Re: Upcoming PG re-releases