Re: Authentication FAQ or Howto? - Mailing list pgsql-general

From Joel Burton
Subject Re: Authentication FAQ or Howto?
Date
Msg-id Pine.LNX.4.30.0110191635000.22474-100000@temp.joelburton.com
Whole thread Raw
In response to Authentication FAQ or Howto?  (Keary Suska <hierophant@pcisys.net>)
List pgsql-general
On Fri, 19 Oct 2001, Keary Suska wrote:

> Is anyone aware of FAQs or HowTos for using crypt type authentication and
> storing encrypted passwords?
>
> I am mainly interested in two things: 1) if passwords have to be stored in a
> plain text file (pg_passwd), can they be stored encrypted? and 2) is it
> possible to authenticate with an encrypted password so passwords do not have
> to be shown in plain text in script files?
>
> At least, I would like to dispose of the pg_passwd file, which seemingly
> shouldn't be necessary because of the pg_shadow table.
>
> Keary Suska
> Esoteritech, Inc.
> "Leveraging Open Source for a better Internet"

crypt or md5 authorization in the pg_hba.conf table refers to how the
passwd is sent in the network protocol, not how it is stored in the
pg_shadow table. Choosing one of these options reduces security risks due
to network sniffing.

In version < 7.2, passwords must be stored in the pg_shadow as plaintext.
In version 7.2 (beta very soon), passwords can be stored encrypted (md5,
IIRC). This is not related directly to the above question of the network
protocol;  this is just how they're stored.

As for scripts that connect to DB: you have to either (a) prompt the user
for a password (from STDIN or such) or (b) store the password in the
script (or in a file called by script, etc.) Don't see any way around it
(more clever souls might, though.)

pg_passwd exists to allow you to specify tighter controls about who can
connect to the database w/pg_hba.conf. I don't see why you want to dispose
of it.

Paranoid? Use 7.2, store passwords pre-hased in md5. Connect to the DB
using SSL or through an SSH tunnel (as explained in docs), and always
prompt the user for the password from STDIN, not from a script.


--

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant


pgsql-general by date:

Previous
From: Lamar Owen
Date:
Subject: Re: Possible bug in postgresql-7.1.3-1PGDG
Next
From: Joel Burton
Date:
Subject: Re: can't connect postgresql server. max connection