On Sun, Apr 09, 2000 at 04:22:58PM -0400, Alex Verstak wrote:
>
> Tom Lane wrote:
> > Hmm. Can we find a freely-distributable version of libcrypt anywhere?
> >
> > (Actually, now that I think about it, I'm not entirely sure that crypt()
> > implements exactly the same transformation on every Unix platform.
> > It may be that you have to have a version of crypt() that matches the
> > one on your server's platform. That would be a pain in the neck ...
> > but if we did find an open-source libcrypt, maybe we could standardize
> > on using it in preference to vendor crypts...)
>
> I have no problem running the PostgreSQL server on Solaris and
> using a FreeBSD client with crypt authentication. Both systems
> use DES. Problems arise when systems try to work around the US
> export restrictions and supply MD5 or other weak encryption.
>
> For the same reason, you cannot make strong authentication code
> available on your website. The best you can do is provide
> a pointer to some DES implementation outside the US and instruct
> users to download and use this one if their systems do not work
> together. Another alternative is to include MD5 in the distribution,
> but use the system crypt by default, with a configuration option
> to switch to MD5.
I wonder whether SASL http://asg.web.cmu.edu/sasl/ is worth considering.
AFAICT postgresql would say authenticate userid,password,mechanism, and
sasl replies yes or no, and different mechanisms seem to plug in reasonably
cleanly.
Cheers,
Patrick
