Re: PostgreSQL Password Cracker - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: PostgreSQL Password Cracker
Date
Msg-id 200301012309.h01N9ZO28410@candle.pha.pa.us
Whole thread Raw
In response to Re: PostgreSQL Password Cracker  (mlw <pgsql@mohawksoft.com>)
List pgsql-hackers
mlw wrote:
> >The comments at the top suggest sniffing a Postgres session startup
> >exchange in order to see the MD5 value that the user presents; which the
> >attacker would then give to this program.  (Forget it if the session is
> >Unix-local rather than TCP, or if it's SSL-encrypted...)
> >
> >This is certainly a theoretically possible attack against someone who
> >has no clue about security, but I don't put any stock in it as a
> >practical attack.  For starters, if you are talking to your database
> >across a network that is open to hostile sniffers, you should definitely
> >be using SSL.
> >  
> >
> This is absolutely correct, shouldn't this be in the FAQ?

Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
People need to understand the ramifications of the various pg_hba.conf
settings, and I think our documentation does that.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


pgsql-hackers by date:

Previous
From: Tatsuo Ishii
Date:
Subject: Re: Postgresql, unicode and umlauts
Next
From: mlw
Date:
Subject: Re: PostgreSQL Password Cracker