Re: PostgreSQL Password Cracker

What do others think?  I am not sure myself.

---------------------------------------------------------------------------

mlw wrote:
> 
> 
> Bruce Momjian wrote:
> 
> >mlw wrote:
> >  
> >
> >>>The comments at the top suggest sniffing a Postgres session startup
> >>>exchange in order to see the MD5 value that the user presents; which the
> >>>attacker would then give to this program.  (Forget it if the session is
> >>>Unix-local rather than TCP, or if it's SSL-encrypted...)
> >>>
> >>>This is certainly a theoretically possible attack against someone who
> >>>has no clue about security, but I don't put any stock in it as a
> >>>practical attack.  For starters, if you are talking to your database
> >>>across a network that is open to hostile sniffers, you should definitely
> >>>be using SSL.
> >>> 
> >>>
> >>>      
> >>>
> >>This is absolutely correct, shouldn't this be in the FAQ?
> >>    
> >>
> >
> >Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
> >People need to understand the ramifications of the various pg_hba.conf
> >settings, and I think our documentation does that.
> >  
> >
> A good DBA will probably read the docs, a bad DBA will probably not, and 
> it is the bad DBA that needs to be guided the most.
> 
> Maybe not FAQ, but is the a short page of "dos and don'ts?
> 
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073