On Apr 21, 2005, at 8:59 PM, Stephen Frost wrote:
> * Paul Tillotson (pntil@shentel.net) wrote:
>
>> Maybe I misunderstood, but I thought that others were saying that, if
>> someone gets the contents of pg_shadow, then
>>
>> - if you use only "password" in your pg_hba.conf, he has to break
>> one of
>> the hashes first in order to log in.
>> - but if you use "md5" in your pg_hba.conf, then he doesn't have to
>> break the hashes at all.
>>
>
> (in order to authenticate to your Postgres installation as a given
> user)
>
>
>> Is this correct?
>>
>
> Yes, this is correct.
>
>
>> I guess I personally felt "betrayed" when I heard this since I
>> (naively)
>>
>
> Me too. :/
>
>
>> assumed that the point of hashing passwords was to make it so that
>> someone who is able to read your database is prevented from
>> logging in
>> and corrupting the data, installing root-kits, etc.
>>
>
> The hash in pg_shadow should only be visible to the database
> superuser,
> or someone who has access to the unix account postgres runs as.
>
>
>> Now I see that the point of md5 authenticate is to address an
>> entirely
>> different problem, namely, having the cleartext password being
>> captured
>> on the wire.
>>
>
> The intention of the 'md5' method in pg_hba.conf is to avoid having
> the
> password go over the network in the clear, yes. Unfortunately, this
> pretty much requires that the database have something which is
> password-equivilant stored on disk.
Wouldn't it be possible for postgres to rehash the md5 checksum of the
password before storing it in pg_shadow? This seems preferable if not
optimal.
Does anyone know why this is not being done?
>
> Thanks,
>
> Stephen
>
Thanks,
Eliot Simcoe
