> On Tue, Jun 26, 2001 at 11:02:15AM -0400, Bruce Momjian wrote:
> > This is the first time I am hearing people are more concerned about
> > pg_shadow security than the wire security. I can see cases where people
> > are on secure networks or are using only local users where having
> > pg_shadow encrypted is more important than crypt authentication.
> > Fortunately the new system will solve both problems.
>
> The crypt authentication currently used offers _no_ security. If I can
> sniff on the wire, I can hijack the tcp stream, and trick the client
> into doing password authentication.
It is my understanding that sniffing is much easier than hijacking. If
hijacking is a concern, you have to use SSL.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
