Re: What goes into the security doc? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: What goes into the security doc?
Date
Msg-id 200301260215.h0Q2Fsi24213@candle.pha.pa.us
Whole thread Raw
In response to Re: What goes into the security doc?  (Robert Treat <xzilla@users.sourceforge.net>)
List pgsql-hackers
Robert Treat wrote:
> I'm not sure how adequately these topics are covered elsewhere, but you
> should probably provide at least a pointer if not improved information:
> 
> * Should have a mention of the pgcrypto code in contrib.
> 
> * Brain hiccup, but isn't there some type of "password" datatype

It is in /contrib as chkpass:Chkpass is a password type that is automatically checked and converted uponentry.  It is
storedencrypted.  To compare, simply compare agains a cleartext password and the comparison function will encrypt it
beforecomparing.It also returns an error if the code determines that the password is easilycrackable.  This is
currentlya stub that does nothing.I haven't worried about making this type indexable.  I doubt that anyonewould ever
needto sort a file in order of encrypted password.If you precede the string with a colon, the encryption and checking
areskippedso that you can enter existing passwords into the field.On output, a colon is prepended.  This makes it
possibleto dump and reloadpasswords without re-encrypting them.  If you want the password (encrypted)without the colon
thenuse the raw() function.  This allows you to use thetype with things like Apache's Auth_PostgreSQL module.D'Arcy
J.M.Caindarcy@druid.net
 
The document is a good idea, and the initdb -W item is good too!

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Can we revisit the thought of PostgreSQL 7.2.4?
Next
From: Bruce Momjian
Date:
Subject: Re: default to WITHOUT OIDS? Possible related problem