Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers

On Tue, Jun 26, 2001 at 12:36:43AM -0400, Bruce Momjian wrote:
> > > The big problem is that when we make a change we have to also talk to
> > > old clients to you would have a pretty complex setup to have 'password'
> > > encryption passing the same crypt over the wire all the time.  If not,
> > > why not use 'crypt' authentication.
> > 
> > i don't understand the objection to my mods.
> > 
> > crypt authentication requires plain-text passwords stored in pg_shadow.
> > 
> > my stand is that this is not a good idea.
> > 
> > my mods in no way break any existing code, and add another variant on the
> > existing auth schemes.
> > 
> > i think that any evolution of the auth schemes should depreciate the older
> > methods, but that backwards compatibility needs to be maintained, even
> > if the code is disabled by default, and needs a --enable to turn it back on.
> 
> OK, your mods are going to have to propogate to all clients.  Older
> clients can't use this scheme,

my mods are server-side only.

to rewind a bit.

the existing implementation of:

host dbname ipaddr netmask password

says:

#   password:   Authentication is done by matching a password supplied
#           in clear by the host. If AUTH_ARGUMENT is specified then
#           the password is compared with the user's entry in that   
#           file (in the $PGDATA directory).  These per-host password 
#       files can be maintained with the pg_passwd(1) utility.
#       If no AUTH_ARGUMENT appears then the password is compared
#       with the user's entry in the pg_shadow table.

this description is a tad misleading.

with an AUTH_ARGUMENT, the process is:
tmp_pwd = crypt(client->passwd, AUTH_ARGUMENT->passwd)
if strcmp(tmp_pwd, AUTH_ARGUMENT->passwd) == 0  access allowed
else  access not allowed

without an AUTH_ARGUMENT, the process is:
if strcmp(client->passwd, pg_shadow->passwd) == 0  access allowed
else  access not allowed

my mods correct this by doing:

with an AUTH_ARGUMENT == "pg_shadow", the process is:
tmp_pwd = crypt(client->passwd, pg_shadow->passwd)
if strcmp(tmp_pwd, pg_shadow->passwd) == 0  access allowed
else  access not allowed

this is not so much an enhancement, but a correction of what i think the
original "password" authentication scheme was supposed to allow.

> and once we have double-encryption, what advantage does this have?

once we have it, cool. as long as the passwords are not stored plain-text.

-- 
[ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]