Thread: odbc - ssl: how-to-do-it.
Reading the adminstrator's guide (7.2 docs) about ssl let me get it up and going on the PGSQL server (7.3.2). I can connect to the database on my local machine, but when I try to connect through the odbc driver (most recent) on the win98 client machine, it says there is no entry in the pg_hba.conf file. If I turn ssl off in postgresql.conf, I connect ok with the odbc driver on the win98 client machine. Is there a way to get the postgresql odbc driver to work with openssl, or should I instead use stunnel as a ssl wrapper? John.
Actually, this touches on something that I've been wondering about. Is there any way/what are the ways to secure the passwords sent by the PGODBC driver to the DB? Clay claycle@cisco.com > -----Original Message----- > From: John K. Herreshoff [mailto:jkherr@centurytel.net] > Sent: Monday, May 26, 2003 4:17 PM > To: pgsql-odbc@postgresql.org > Subject: [ODBC] odbc - ssl: how-to-do-it. > > > Reading the adminstrator's guide (7.2 docs) about ssl let me > get it up and > going on the PGSQL server (7.3.2). I can connect to the > database on my > local machine, but when I try to connect through the odbc > driver (most > recent) on the win98 client machine, it says there is no entry in the > pg_hba.conf file. If I turn ssl off in postgresql.conf, I > connect ok with > the odbc driver on the win98 client machine. > > Is there a way to get the postgresql odbc driver to work with > openssl, or > should I instead use stunnel as a ssl wrapper? > > John. > > ---------------------------(end of > broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html >
> -----Original Message----- > From: Clay Luther [mailto:claycle@cisco.com] > Sent: 28 May 2003 23:34 > To: John K. Herreshoff; pgsql-odbc@postgresql.org > Subject: Re: [ODBC] odbc - ssl: how-to-do-it. > > > Actually, this touches on something that I've been wondering about. > > Is there any way/what are the ways to secure the passwords > sent by the PGODBC driver to the DB? Use md5 passwords. It won't prevent a replay attack, but at least they won't be plain text. Regards, Dave.
There is a commercial product built on the open-source ODBC driver that will utilize an SSL connection and compression: They call it S/ODBC ... http://www.commandprompt.com/entry.lxp?lxpe=142 I haven't tried it out yet. However, during my research of the product, I did speak with a representative of the company who seemed very knowledgeable regarding PostgreSQL. He was courteous as well. CG --- Dave Page <dpage@vale-housing.co.uk> wrote: > > > > -----Original Message----- > > From: Clay Luther [mailto:claycle@cisco.com] > > Sent: 28 May 2003 23:34 > > To: John K. Herreshoff; pgsql-odbc@postgresql.org > > Subject: Re: [ODBC] odbc - ssl: how-to-do-it. > > > > > > Actually, this touches on something that I've been wondering about. > > > > Is there any way/what are the ways to secure the passwords > > sent by the PGODBC driver to the DB? > > Use md5 passwords. It won't prevent a replay attack, but at least they > won't be plain text. > > Regards, Dave. > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
"Dave Page" <dpage@vale-housing.co.uk> writes:
>> Is there any way/what are the ways to secure the passwords
>> sent by the PGODBC driver to the DB?
> Use md5 passwords. It won't prevent a replay attack, but at least they
> won't be plain text.
Actually md5 does make a replay attack substantially harder. What goes
over the wire is an md5 checksum of the cleartext password plus username
plus a 4-byte salt chosen on-the-fly by the server. So a replay
attacker would have to be lucky enough to be challenged with the same
salt he'd seen used before.
regards, tom lane
> -----Original Message----- > From: Tom Lane [mailto:tgl@sss.pgh.pa.us] > Sent: 29 May 2003 14:57 > To: Dave Page > Cc: Clay Luther; John K. Herreshoff; pgsql-odbc@postgresql.org > Subject: Re: [ODBC] odbc - ssl: how-to-do-it. > > > "Dave Page" <dpage@vale-housing.co.uk> writes: > >> Is there any way/what are the ways to secure the passwords > >> sent by the PGODBC driver to the DB? > > > Use md5 passwords. It won't prevent a replay attack, but at > least they > > won't be plain text. > > Actually md5 does make a replay attack substantially harder. > What goes over the wire is an md5 checksum of the cleartext > password plus username plus a 4-byte salt chosen on-the-fly > by the server. So a replay attacker would have to be lucky > enough to be challenged with the same salt he'd seen used before. Ahh, I thought it sent just the password checksum and compared it to the md5 checksum in pg_shadow - thanks. Regards, Dave.
> -----Original Message----- > From: John K. Herreshoff [mailto:jkherr@centurytel.net] > Sent: 29 May 2003 19:56 > To: Dave Page > Subject: Re: [ODBC] odbc - ssl: how-to-do-it. > > > for what it is worth: how do I do the MD5 stuff on a windows > machine? Or do > I? Is there an internet link that could get me going? > > (I really like the stunnel thing) Just specify md5 in your pg_hba.conf, and use encrypted passwords. eg. CREATE USER john WITH ENCRYPTED PASSWORD 'BetchaCantGuessMe'; You'll also need a recent ODBC driver. Regards, Dave.