Re: Re: Encrypting pg_shadow passwords

> That is not true.  The internet happily allows for active attacks.  In
> fact, active attacks are easier on the internet than passive ones.
> 
> My concern is, that by having something that we proclaim to be secure, we
> need for it to really be secure.
> 
> An HMAC would be a better alternative to the current crypt scheme, as
> it would provide integrity, without the overhead of having privacy.
> 
> Of course, HMAC would require the postgres protocol to talk in "packets",
> as it can't accept the data as being valid until it verifies the MAC. I'm
> not familiar with the protocol yet.
> 
> I suggest these authentication options:
> 
> * password - The current meaning of password, but with passwords hashed
>   using md5crypt() or something. (The usual crypt unneccessarily limits
>   passwords to 8 characters)

Once I do crypting of pg_shadow/double-crypt for 7.2, we don't need
password anymore.  It is around only for very old clients and for
secondary password files but wWe will not need that workaround with
double-crypt.

> * HMAC - Wrap all postgres data in an HMAC (I believe this requires an
>   plaintext-like password on the server as does crypt and the double
>   crypt scheme)

No, double-crypt has the passwords stored encrypted.

> * Public Key (RSA/DSA) - Use public key cryptography to negotiate a
>   connection. (When I'm not busy, I may decide to do this myself)

SSL?

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026