Re: Authenticate with hash instead of plaintext password? - Mailing list pgsql-general

From Stephen Frost
Subject Re: Authenticate with hash instead of plaintext password?
Date
Msg-id 20121217020535.GG12354@tamriel.snowman.net
Whole thread Raw
In response to Re: Authenticate with hash instead of plaintext password?  (Peter Bex <Peter.Bex@xs4all.nl>)
List pgsql-general
* Peter Bex (Peter.Bex@xs4all.nl) wrote:
> I could try my hand at providing a patch to switch to, say, bcrypt,
> but I'm pretty unfamiliar with the PostgreSQL source code.  If
> nobody else is interested in working on it I can give it a try
> during the holidays.

The code, in general, is very clean.  The issues you're going to run
into are questions about protocol support (the hash, in some ways, is
currently part of our PG protocol and so changing that would be a break
in the protocol which would be frowned upon greatly...) and making sure
that things don't break internally.  Note that not everything uses libpq
to talk to PG (the JDBC driver, for example, has a completely seperate
implementation of the protocol, as I recall).  You'll also need to
address the upgrade path.

If this is implemented as an optional capability, that's more likely to
be acceptable but at the same time might not really 'fix' things.

I, for one, would love to see some work done in this area and would be
happy to help you with any questions you have regarding the code.

> I'm not sure how to deal with the md5 authentication method.
> There is a good point in the -hackers thread above that eavesdroppers
> are probably able to hijack existing connections, but there's no reason
> to take any risks.

We do support SSL also, of course, and we do encourage people to use it
whenever possible and definitely if going across untrusted networks.

    Thanks,

        Stephen

Attachment

pgsql-general by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Authenticate with hash instead of plaintext password?
Next
From: Tom Lane
Date:
Subject: Re: PG 8.4 to 9.2 upgrade issues with ownership of large objects