PG_PWD and PG_PASSWORD Security - Mailing list pgsql-general

From Anthony Metzidis
Subject PG_PWD and PG_PASSWORD Security
Date
Msg-id 97m43u$2ec0$1@news.tht.net
Whole thread Raw
Responses Re: PG_PWD and PG_PASSWORD Security
List pgsql-general

Hi,

When I 'CREATE USER testuser WITH PASSWORD 'mypassword';

I see an entry in PG_PWD with the password 'mypassword' in plaintext.

In my pg_hba.conf I have all hosts using 'password' authentication with no

file argument. Is there any way to keep postgres from saving the passwords

in plain text? This seems to be a huge security hole.  I thought that passwords were to be saved in PG_SHADOW. What is

PG_SHADOW for anyway?

If you have an answer, can you please cc: my email?

Thanks.

--tony

postgresql 7.0.3

 

pgsql-general by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: Postgres eats up memory when using cursors
Next
From: Scott Holmes
Date:
Subject: Users in pg_shadow