Thread: bug in pgadmin III
<br /><font face="sans-serif" size="2">Hi,</font><br /><br /><font face="sans-serif" size="2">I found several bug's (perhapseasy to solve) in pgAdmin III 1.1.0 devel.</font><br /><br /><font face="sans-serif" size="2">- in Create Usergroup: the property-page contains fields like <b>Username </b>and <b>User-ID</b> but should contain <b>Groupname </b>and<b>Group-ID</b></font><br /><font face="sans-serif" size="2">- in Create User : the property-page contains a password-fieldwhich shows passwords in plaintext</font><br /><font face="sans-serif" size="2">- on Security-Panels : theprivilege group combobox contains only group-name instead of group- and usernames</font><br /><font face="sans-serif"size="2"> </font><br /><font face="sans-serif" size="2">Bye </font><br /><br /><font face="sans-serif"size="2">tom</font>
Hi Tom, Tom.Zschockelt@flender.com wrote: > > - in Create Usergroup : the property-page contains fields like > *Username *and *User-ID* but should contain *Groupname *and *Group-ID* This is a typo, fixed in cvs now. > - in Create User : the property-page contains a password-field which > shows passwords in plaintext This is intentionally. Any entered password will appear in plain text on the sql page anyway. > - on Security-Panels : the privilege group combobox contains only > group-name instead of group- and usernames This is configurable, see FAQ. Regards, Andreas
Wouldn't it be better to use
CREATE ENCRYPTED passwd instead? Me thinks that's a better solution
anyway!
Michiel
Andreas Pflug <pgadmin@pse-consulting.de>
Sent by: pgadmin-support-owner@postgresql.org
17-11-2003 16:09
To: Tom.Zschockelt@flender.com cc: pgadmin-support@postgresql.org Subject: Re:
[pgadmin-support]bug in pgadmin III
Hi Tom,
Tom.Zschockelt@flender.com wrote:
>
> - in Create Usergroup : the property-page contains fields like
> *Username *and *User-ID* but should contain *Groupname *and *Group-ID*
This is a typo, fixed in cvs now.
> - in Create User : the property-page contains a password-field which
> shows passwords in plaintext
This is intentionally. Any entered password will appear in plain text on
the sql page anyway.
> - on Security-Panels : the privilege group combobox contains only
> group-name instead of group- and usernames
This is configurable, see FAQ.
Regards,
Andreas
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faqs/FAQ.html
Michiel Lange wrote: >Wouldn't it be better to use >CREATE ENCRYPTED passwd instead? Me thinks that's a better solution >anyway! > > If you know how to encrypt the password, we certainly could supply the option to enter it that way... Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 17 November 2003 16:07 > To: Michiel Lange > Cc: pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] bug in pgadmin III > > Michiel Lange wrote: > > >Wouldn't it be better to use > >CREATE ENCRYPTED passwd instead? Me thinks that's a better solution > >anyway! > > > > > If you know how to encrypt the password, we certainly could > supply the option to enter it that way... It's just an md5 hash prefixed with 'md5' isn't it? /D
Dave Page wrote: >> >> >> >>>Wouldn't it be better to use >>>CREATE ENCRYPTED passwd instead? Me thinks that's a better solution >>>anyway! >>> >>> >>> >>> >>If you know how to encrypt the password, we certainly could >>supply the option to enter it that way... >> >> > >It's just an md5 hash prefixed with 'md5' isn't it? > > > Ok, so we require pgAdmin3 users to calculate the md5 hash and enter it ;-) Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 17 November 2003 16:23 > To: Dave Page > Cc: Michiel Lange; pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] bug in pgadmin III > > Ok, so we require pgAdmin3 users to calculate the md5 hash > and enter it ;-) What's wrong with that? ;-) Seriously though, I have some md5 code knocking around but it's all GPL. Presumably there is some BSD in the server someplace. Regards, Dave.
Michiel Lange wrote: >Well... I thought PgAdmin sends SQL commands to the database, right? > > As you can see on each property dialog's SQL page. >So, if you do >CREATE USER <user> WITH ENCRYPTED PASSWD '<pwd>'? > > ENCRYPTED PASSWORD is for dump/restore purposes (i.e. if you don't know the plain text password). I don't see the point for using encryption with online password changes. Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 17 November 2003 16:45 > To: Michiel Lange; [pgADMIN] > Subject: Re: [pgadmin-support] bug in pgadmin III > > Michiel Lange wrote: > > >Well... I thought PgAdmin sends SQL commands to the database, right? > > > > > As you can see on each property dialog's SQL page. > > >So, if you do > >CREATE USER <user> WITH ENCRYPTED PASSWD '<pwd>'? > > > > > ENCRYPTED PASSWORD is for dump/restore purposes (i.e. if you > don't know the plain text password). I don't see the point > for using encryption with online password changes. Saves sending it in plaintext over the wire, or displaying it on screen anywhere. Regards, Dave.
Dave Page wrote: > > >Saves sending it in plaintext over the wire, or displaying it on screen >anywhere. > > > IMHO this isn't worth the effort. We have SSL connections to secure wire tapping. This is necessary for securing session logon anyway. Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 17 November 2003 17:19 > To: Dave Page > Cc: Michiel Lange; [pgADMIN] > Subject: Re: [pgadmin-support] bug in pgadmin III > > IMHO this isn't worth the effort. We have SSL connections to > secure wire tapping. This is necessary for securing session > logon anyway. How did you figure that? The server replies to the connection message with an md5 password message, which the client (libpq) sends. You don't need ssl to prevent sending plaintext passwords. Regards, Dave.
>>If you know how to encrypt the password, we certainly could >>supply the option to enter it that way... > > > It's just an md5 hash prefixed with 'md5' isn't it? ??? Don't you just go ALTER USER blah ENCRYPTED PASSWORD 'asdf'; And postgres itself will encrypt it for you. Your SQL view should show whatever PostgreSQL's pg_dump shows I think. Chris
> -----Original Message----- > From: Christopher Kings-Lynne [mailto:chriskl@familyhealth.com.au] > Sent: 18 November 2003 01:19 > To: Dave Page > Cc: Andreas Pflug; Michiel Lange; pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] bug in pgadmin III > > > >>If you know how to encrypt the password, we certainly could > supply the > >>option to enter it that way... > > > > > > It's just an md5 hash prefixed with 'md5' isn't it? > > ??? > > Don't you just go ALTER USER blah ENCRYPTED PASSWORD 'asdf'; > > And postgres itself will encrypt it for you. Yeah, but the idea is to encrypt client-side to prevent sending passwords over the wire in cleartext. The can be loaded from a dump pre-hashed, so why can't we set them that way for a little extra security? > Your SQL view should show whatever PostgreSQL's pg_dump shows I think. Agreed. Normally, I would hope that is a hash... Regards, Dave
<br /><font face="sans-serif" size="2">Hi,</font><br /><br /><font face="sans-serif" size="2">I originally meant that thepassword inputbox shows the password like "mypassword" and not like "**********"</font><br /><br /><font face="sans-serif"size="2">regards, Tom</font><br /><br /><font color="#800080" face="sans-serif" size="2">----------------------</font><fontcolor="#800080" face="sans-serif" size="1"> Weitergeleitet von Tom Zschockelt/Penig/Flenderon 18.11.2003 09:09 </font><font color="#800080" face="sans-serif" size="2">---------------------------</font><p><fontcolor="#800080" face="sans-serif" size="1">Gesendet von: pgadmin-support-owner@postgresql.org</font><p><fontcolor="#800080" face="sans-serif" size="1">An: </font><font face="sans-serif"size="1">"Christopher Kings-Lynne" <chriskl@familyhealth.com.au></font><br /><font color="#800080"face="sans-serif" size="1">Kopie: </font><font face="sans-serif" size="1">"Andreas Pflug" <pgadmin@pse-consulting.de>,"Michiel Lange" <Michiel_Lange@actuera.com>, <pgadmin-support@postgresql.org></font><fontcolor="#800080" face="sans-serif" size="1"> </font><br /><font color="#800080"face="sans-serif" size="1">Thema: </font><font face="sans-serif" size="1">Re: [pgadmin-support] bugin pgadmin III</font><br /><br /><font face="Courier New" size="2"> <br /><br /> > -----Original Message-----<br />> From: Christopher Kings-Lynne [mailto:chriskl@familyhealth.com.au] <br /> > Sent: 18 November 2003 01:19<br />> To: Dave Page<br /> > Cc: Andreas Pflug; Michiel Lange; pgadmin-support@postgresql.org<br /> > Subject: Re:[pgadmin-support] bug in pgadmin III<br /> > <br /> > <br /> > >>If you know how to encrypt the password,we certainly could <br /> > supply the <br /> > >>option to enter it that way...<br /> > > <br/> > > <br /> > > It's just an md5 hash prefixed with 'md5' isn't it?<br /> > <br /> > ???<br /> ><br /> > Don't you just go ALTER USER blah ENCRYPTED PASSWORD 'asdf';<br /> > <br /> > And postgres itself willencrypt it for you.<br /><br /> Yeah, but the idea is to encrypt client-side to prevent sending<br /> passwords overthe wire in cleartext. The can be loaded from a dump<br /> pre-hashed, so why can't we set them that way for a littleextra<br /> security?<br /><br /> > Your SQL view should show whatever PostgreSQL's pg_dump shows I think.<br /><br/> Agreed. Normally, I would hope that is a hash...<br /><br /> Regards, Dave<br /><br /> ---------------------------(endof broadcast)---------------------------<br /> TIP 2: you can get off all lists at once withthe unregister command<br /> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)<br /></font><br/>
From: Tom.Zschockelt@flender.com [mailto:Tom.Zschockelt@flender.com]
Sent: 18 November 2003 08:12
To: pgadmin-support@postgresql.org
Subject: Re: [pgadmin-support] bug in pgadmin III
Hi,
I originally meant that the password inputbox shows the password like "mypassword" and not like "**********"
Yes, we know - you just got us thinking about other related issues :-)
Regards, Dave.