encrypted passwords - Mailing list pgsql-hackers
| From | Neil Conway |
|---|---|
| Subject | encrypted passwords |
| Date | |
| Msg-id | 87ptwl9o6d.fsf@klamath.dyndns.org Whole thread Raw |
| Responses |
Re: encrypted passwords
(Rod Taylor <rbt@zort.ca>)
Re: encrypted passwords (Bruce Momjian <pgman@candle.pha.pa.us>) Re: encrypted passwords (Tom Lane <tgl@sss.pgh.pa.us>) |
| List | pgsql-hackers |
A couple questions regarding encrypted passwords:
(1) There was talk of changing the default value of the 'password_encryption' GUC variable for 7.3; AFAIK, this
hasn't happened yet. Should this be done?
(2) What is the reasoning behind the current storage format of MD5-encrypted passwords? At the moment, we "determine"
thata password is stored pre-hashed in pg_shadow by checking if it begins with "md5" and is 35 characters long (the
isMD5()macro in libpq/crypt.h). This seems problematic, for a couple reasons:
(a) it needlessly overloads the password field: that field should store the password or the digest
itself,not meta-data about the authentication process.
(b) it makes it difficult to determine if the password is *actually* encrypted, or whether the user
justhappened to specify an (unencrypted) password of that form.
(c) it limits us to using the MD5 algorithm. MD5 is not looking as invincible as it once did, and
havingthe capability to support SHA1 or another algorithm without too much pain would be nice.
(3) (Related to 2b above) Shouldn't we reject an attempt by the user to specify an un-encrypted password that matches
theisMD5() test? For example:
nconway=# create user foo encrypted password
'md5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
CREATE USER
nconway=# create user foo2 encrypted password 'somethingelse';
CREATE USER
nconway=# select usename, passwd from pg_shadow where usename like 'foo%';usename | passwd
---------+-------------------------------------foo | md5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfoo2 |
md51b80a20a1b6cd86eb369f01009b739d3
(The first password is stored "as-is", the second is hashed before
being stored.)
I don't see a need for the ability to specify pre-hashed passwords,
and it makes the whole process of determining the type of password
being used more complicated.
(4) The naming standard for system catalogs would dictate that the 'passwd' field of pg_shadow actually be named
'usepasswd'or something similar, wouldn't it? The same applies to the 'valuntil field.
Cheers,
Neil
--
Neil Conway <neilconway@rogers.com>
PGP Key ID: DB3C29FC
pgsql-hackers by date: