Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date
Msg-id 200504220317.j3M3HIu18664@candle.pha.pa.us
Whole thread Raw
In response to Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords  (Greg Stark <gsstark@mit.edu>)
List pgsql-hackers
Greg Stark wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> 
> > With the 'md5' method the server will send will send a randomly
> > generated salt to the client which will then concatenate the user's name
> > to the password, perform an md5 on that result, then concatenate the
> > result of the md5 to the salt provided by the server and will then md5
> > that.  
> 
> I think that in this case calling it a salt altogether is wrong. It's a
> "challenge".
> 
> And I'm inclined to suggest that this authentication method be removed
> altogether. The security flaw is that it exists at all. Not the details of the
> implementation.

That idea is so detached from reality, I don't know how to respond.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: Proposal for background vacuum full/cluster
Next
From: "Qingqing Zhou"
Date:
Subject: Re: Proposal for background vacuum full/cluster