Home > mailing lists

Re: Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers

From	michael@miknet.net (Michael Samuel)
Subject	Re: Re: Encrypting pg_shadow passwords
Date	July 12, 2001 05:20:59
Msg-id	20010712162035.A3233@miknet.net Whole thread Raw
In response to	Re: Re: Encrypting pg_shadow passwords (Bruce Momjian <pgman@candle.pha.pa.us>)
List	pgsql-hackers

Tree view

On Wed, Jul 11, 2001 at 01:00:42PM -0400, Bruce Momjian wrote:
> > * HMAC - Wrap all postgres data in an HMAC (I believe this requires an
> >   plaintext-like password on the server as does crypt and the double
> >   crypt scheme)
> 
> No, double-crypt has the passwords stored encrypted.

You missed my point.  If I can get hold of the encrypted password in
the database, I can hack up a client library to use the encrypted
password to log in.  Therefore, encrypting the password in pg_shadow
offers no advantage.

> > * Public Key (RSA/DSA) - Use public key cryptography to negotiate a
> >   connection. (When I'm not busy, I may decide to do this myself)
> 
> SSL?

I'd use the OpenSSL libraries to implement it, but we're talking about
public key authentication here, not connection encryption.

-- 
Michael Samuel <michael@miknet.net>

pgsql-hackers by date:

From: Klaus Reger
Date: 12 July 2001, 04:11:21
Subject: Re: Possible feature?

From: "Vadim Mikheev"
Date: 12 July 2001, 07:41:50
Subject: Re: Strangeness in xid allocation / snapshot setup

Re: Re: Encrypting pg_shadow passwords - Mailing list pgsql-hackers

Previous

Next