Postgres Pro
Downloads
Home   >   mailing lists

Re: How passwords can be crypted in postgres? - Mailing list pgsql-general

From John Clark L. Naldoza
Subject Re: How passwords can be crypted in postgres?
Date
Msg-id 3A53C939.DC851913@ntsp.nec.co.jp
Whole thread Raw
In response to Re: How passwords can be crypted in postgres?  ("Gordan Bobic" <gordan@freeuk.com>)
List pgsql-general
Tree view 
Hello All,

It seems to me that a solution for this specific problem
(Man-in-the-middle) can be found via SSH Tunneling...;-)

Using OpenSSH of course...;-)

If you are using (redhat) linux, I believe there is a great book online
found at http://www.openna.com called

Securing and Optimizing Redhat Linux.

There are a bunch of other ways that you can do...  But as for the
original thread...  I think you can encrypt passwords in postgres...;-)

But what do I know..;-)


> I was referring to a different aspect of security. I was referring to
> preventing more of a "man-in-the-middle" type of attack. If you have a
> packet sniffer somewhere between the client and the server, then someone
> could read your packet containing the encrypted password and use it to
> authenticate to the server, without knowing or caring what the real
> password is. If you can send the encrypted password to the server that
> matches, you're in.
>
> One way to secure this sort of setup is by using RSA-type algorythm where
> both client and server get to share a secret without actually transmitting
> any part of the actual key. This coupled with some form of authentication
> that would eliminate the man-in-the-middle attack (which would make that
> system voulnerable as well, because if someone is running a proxy in
> between you, they would also potentially know the shared secret) should
> bolt the system down completely. One obvious way to work around this all is
> to use public key cryptography such as PGP, which would remain secure as
> long as the private keys remain secure.
>
> But, the level of security required largely depends on what you are doing,
> and what sort of attack you want to protect yourself against...
>
> Regards.
>
> Gordan

--
     /) John Clark Naldoza y Lopez                           (\
    / )    Software Design Engineer II                       ( \
  _( (_    _  Web-Application Development                    _) )_
 (((\ \>  /_>    Cable Modem Network Management System <_\  </ /)))
 (\\\\ \_/ /         NEC Telecom Software Phils., Inc.  \ \_/ ////)
  \       /                                              \       /
   \    _/  phone: (+63 32) 233-9142 loc. 3112            \_    /
   /   /  cellphone: (+63 919) 813-6274                     \   \
  /   / email: njclark@ntsp.nec.co.jp                        \   \

pgsql-general by date:

Previous
From: "Dominic J. Eidson"
Date:
Subject: Re: 7.1 PL/pgSQL EXECUTE Command
Next
From: Tom Lane
Date:
Subject: Re: 7.1 PL/pgSQL EXECUTE Command