Re: Postgresql security checks
| От | Bruce Momjian |
|---|---|
| Тема | Re: Postgresql security checks |
| Дата | |
| Msg-id | 201009072326.o87NQ5l03271@momjian.us обсуждение исходный текст |
| Ответ на | Re: Postgresql security checks (Thom Brown <thom@linux.com>) |
| Ответы |
Re: Postgresql security checks
|
| Список | pgsql-novice |
Thom Brown wrote: > > It is documented here: > > > > ? ? ? ?http://www.postgresql.org/docs/9.0/static/encryption-options.html > > ? ? ? ?17.7. Encryption Options > > ? ? ? ?Encrypting Passwords Across A Network > > > > ? ? ? ? ? ?The MD5 authentication method double-encrypts the password on the > > ? ? ? ?client before sending it to the server. It first MD5-encrypts it based > > ? ? ? ?on the user name, and then encrypts it based on a random salt sent by > > ? ? ? ?the server when the database connection was made. It is this > > ? ? ? ?double-encrypted value that is sent over the network to the server. > > ? ? ? ?Double-encryption not only prevents the password from being discovered, > > ? ? ? ?it also prevents another connection from using the same encrypted > > ? ? ? ?password to connect to the database server at a later time. > > The difference with that is that it's talking about how passwords are > protected by a form of encryption when sent across a connection rather > than how they're stored in a database. Yes, you are right. Should this be documented? Where? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
В списке pgsql-novice по дате отправления: