Bruce Momjian <pgman@candle.pha.pa.us> writes:
> One issue I have not heard is that CREATE USER, with the visible
> password, is sent over the wire in cleartext, and does appear in the
> logs, as we discussed, so while we MD5 the password in pg_shadow so
> administrators do not see it, we do log the query if the administrator
> has set it up that way. I see no way to secure this really since the
> administrator typically has control over the database installation.
To put that more clearly: if the point is to keep the user's cleartext
password out of the hands of the DBA, then the user has already blown it
by sending the password in cleartext in the first place. An
untrustworthy DBA could trivially insert code into CREATE USER to log
the original password in a place of his choosing.
regards, tom lane
