> I see. This protects the hash, which is an effective password, from being
> gotten by sniffers. But a cracker who has stolen the hashes out of Postgres can
> still get in no matter what until you change the passwords.
>
> I guess hashed password authentication is really not designed for use over an
> untrusted connection. You get the hash becomes effective password problem.
> Its very important that the hashed passwords stored in Postgres cannot be read
> by anyone except the Postgres superuser.
>
> I'm I getting this right?
Good point. Though they can't see the original password, they can have
a pgsql client use it to connect to the database.
Anyone have a fix for that one?
-- Bruce Momjian | http://www.op.net/~candle pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026