AW: So we're in agreement.... - Mailing list pgsql-hackers

From Zeugswetter Andreas SB
Subject AW: So we're in agreement....
Date
Msg-id 219F68D65015D011A8E000006F8590C604AF7D74@sdexcsrv1.f000.d0188.sd.spardat.at
Whole thread Raw
List pgsql-hackers
> The current thread started from a simple the need to hide passwords 
> from PG superusers and system ROOT's. For that we have two schemes:
> 
> store MD5(username+passwd)
>  - hidden from sniffing but easily guessable salt (as most users are
> called 'bob')

I have not checked, but imho it will be easy to find out the username 
with some extra sniffing. Thus to assume that the username is a secret
is probably a bad assumption.
Walking through all user entries to find a matching md5 is imho 
unacceptable anyway, since md5 is a hash an thus has the 
potential for equal output with different input.

The only argument for some calculateable salt would imho be
if it saves us one packet roundtrip. And this is only possible if we
don't do the challenge (which still is a variant imho, since we agreed 
that good sniffer protection needs to be done differently).

Thus:
C-->S: connect dbname username MD5(calculated_salt+password) 
S-->C: connection accepted

Andreas


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Re: It happened again: Server hung up solid
Next
From: Vince Vielhaber
Date:
Subject: Re: Re: It happened again: Server hung up solid