On Thu, 25 Apr 2002 13:32:27 -0400
"Tom Lane" <tgl@sss.pgh.pa.us> wrote:
> Neil Conway <nconway@klamath.dyndns.org> writes:
> > IMHO, there are two separate processes going on here:
>
> The connection you are missing is that hashed password storage is
> incompatible with crypt-style password transmission.
Ah, ok -- that makes sense.
> If we force
> hashed storage then the only password transmission style available
> to pre-7.2 clients is cleartext. It's not at all clear that securing
> the on-disk representation is a more important goal than wire security.
I'd agree they are both important.
How many pre-7.2 clients are actually out there? If 'crypt' authentication
is deprecated in 7.2, is there any chance it will be removed in
7.3? If it is, it should be safe to switch to the scheme I mentioned
in my previous email, which is both less complicated, and
"secure-by-default".
Cheers,
Neil
--
Neil Conway <neilconway@rogers.com>
PGP Key ID: DB3C29FC
