Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

On Apr 21, 2005, at 8:59 PM, Stephen Frost wrote:

> * Paul Tillotson (pntil@shentel.net) wrote:
>
>> Maybe I misunderstood, but I thought that others were saying that, if
>> someone gets the contents of  pg_shadow, then
>>
>> - if you use only "password" in your pg_hba.conf, he has to break  
>> one of
>> the hashes first in order to log in.
>> - but if you use "md5" in your pg_hba.conf, then he doesn't have to
>> break the hashes at all.
>>
>
> (in order to authenticate to your Postgres installation as a given  
> user)
>
>
>> Is this correct?
>>
>
> Yes, this is correct.
>
>
>> I guess I personally felt "betrayed" when I heard this since I  
>> (naively)
>>
>
> Me too. :/
>
>
>> assumed that the point of hashing passwords was to make it so that
>> someone who is able to read your database is prevented from  
>> logging in
>> and corrupting the data, installing root-kits, etc.
>>
>
> The hash in pg_shadow should only be visible to the database  
> superuser,
> or someone who has access to the unix account postgres runs as.
>
>
>> Now I see that the point of md5 authenticate is to address an  
>> entirely
>> different problem, namely, having the cleartext password being  
>> captured
>> on the wire.
>>
>
> The intention of the 'md5' method in pg_hba.conf is to avoid having  
> the
> password go over the network in the clear, yes.  Unfortunately, this
> pretty much requires that the database have something which is
> password-equivilant stored on disk.

Wouldn't it be possible for postgres to rehash the md5 checksum of the
password before storing it in pg_shadow? This seems preferable if not  
optimal.
Does anyone know why this is not being done?

>
>     Thanks,
>
>         Stephen
>
    Thanks,
        Eliot Simcoe