Re: Re: Proposal for encrypting pg_shadow passwords - Mailing list pgsql-patches

From Peter Eisentraut
Subject Re: Re: Proposal for encrypting pg_shadow passwords
Date
Msg-id Pine.LNX.4.30.0108161903120.677-100000@peter.localdomain
Whole thread Raw
In response to Re: Re: Proposal for encrypting pg_shadow passwords  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-patches
Bruce Momjian writes:

> OK, here is a new patch that creates a new md5 keyword on pg_hba.conf.
> That certainly makes my coding easier, and when I apply the patch to use
> larger salt for MD5, there is now a good reason to have a different
> keyword.  With the old system, they could have used an old client to
> reply a sniffed packet, while now, if the host is set to MD5, they have
> a much larger namespace with no fallback to crypt.

I don't follow this argument.  You added a config option that toggles
whether to use the old crypt(3) method or the new md5 method.  If the old
method is enabled then everything works as until now.  If the new method
is enabled, old clients will fail smoothly.  I don't see why you need to
introduce a new authentication type token; I thought the idea was to allow
this to work transparently.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter


pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Patch: use SCM_CREDS authentication over PF_LOCAL sockets
Next
From: Vince Vielhaber
Date:
Subject: Re: Re: Proposal for encrypting pg_shadow passwords