* Paul Tillotson (pntil@shentel.net) wrote:
> Maybe I misunderstood, but I thought that others were saying that, if
> someone gets the contents of pg_shadow, then
>
> - if you use only "password" in your pg_hba.conf, he has to break one of
> the hashes first in order to log in.
> - but if you use "md5" in your pg_hba.conf, then he doesn't have to
> break the hashes at all.
(in order to authenticate to your Postgres installation as a given user)
> Is this correct?
Yes, this is correct.
> I guess I personally felt "betrayed" when I heard this since I (naively)
Me too. :/
> assumed that the point of hashing passwords was to make it so that
> someone who is able to read your database is prevented from logging in
> and corrupting the data, installing root-kits, etc.
The hash in pg_shadow should only be visible to the database superuser,
or someone who has access to the unix account postgres runs as.
> Now I see that the point of md5 authenticate is to address an entirely
> different problem, namely, having the cleartext password being captured
> on the wire.
The intention of the 'md5' method in pg_hba.conf is to avoid having the
password go over the network in the clear, yes. Unfortunately, this
pretty much requires that the database have something which is
password-equivilant stored on disk.
Thanks,
Stephen