Home > mailing lists

Re: Connect to postgres from a dynamic IP - Mailing list pgsql-general

From	Jorge Godoy
Subject	Re: Connect to postgres from a dynamic IP
Date	March 4, 2008 01:42:15
Msg-id	200803032341.51308.jgodoy@gmail.com Whole thread Raw
In response to	Re: Connect to postgres from a dynamic IP (paul rivers <rivers.paul@gmail.com>)
Responses	Re: Connect to postgres from a dynamic IP (brian <brian@zijn-digital.com>)
List	pgsql-general

Tree view

Em Monday 03 March 2008 13:17:03 você escreveu:
>
> My understanding is no password is sent in the clear with md5 per:
>
> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
>ORD

But the MD5 hash is.  This page states that the password can't be directly
sniffed, but one can still get the hash of the password and perform a
dictionary attack against it on a local copy (i.e., without ever trying to
connect to the server).

After a successful attack then one can connect directly to the server as if
the password was known to him/her.

Crypting the channell -- be it with SSL or SSH, for example -- will prevent
the sniffer from being able to capture the hash, so your password will be
safer.

--
Jorge Godoy      <jgodoy@gmail.com>

pgsql-general by date:

From: dmp
Date: 04 March 2008, 01:13:29
Subject: Re: PostgreSQL Array Use

From: brian
Date: 04 March 2008, 02:21:12
Subject: Re: Connect to postgres from a dynamic IP

Re: Connect to postgres from a dynamic IP - Mailing list pgsql-general

Previous

Next