Re: Client-side password encryption - Mailing list pgadmin-hackers

From Andreas Pflug
Subject Re: Client-side password encryption
Date
Msg-id 43A58928.3020408@pse-consulting.de
Whole thread Raw
In response to Re: Client-side password encryption  ("Dave Page" <dpage@vale-housing.co.uk>)
List pgadmin-hackers
Dave Page wrote:
>
>
> -----Original Message----- From: pgadmin-hackers-owner@postgresql.org
> on behalf of Peter Eisentraut Sent: Sun 12/18/2005 2:25 AM To:
> pgadmin-hackers@postgresql.org Subject: [pgadmin-hackers] Client-side
> password encryption
>
>
>> Commands like CREATE USER foo PASSWORD 'bar' transmit the password
>> in cleartext and possibly save the password in various client or
>> server log files.  I have just fixed this for psql and createuser
>> to encrypt the password on the client side.  A quick check of the
>> pgadmin3 source code shows that you are also affected by this
>> issue.  I ask you to check where you paste cleartext passwords into
>> SQL commands and change those to encrypt the password before
>> sending or storing it anywhere. The required function
>> pg_md5_encrypt() is contained in libpq.
>
>
> So did you just rip it from there into psql? I don't see it in the
> list of libpq exports so if thats not the case, on Windows at least
> we'll need to change the api, and possibly the dll name as well to
> avoid any compatibility issues.

And a prototype in libpq-fe.h wouldn't hurt either... And a macro, to
enable distinguishing md5-enabled libpq versions from older versions.


Regards,
Andreas

pgadmin-hackers by date:

Previous
From: "Dave Page"
Date:
Subject: Re: Client-side password encryption
Next
From: "Hiroshi Saito"
Date:
Subject: dlgLanguage_patch