Re: MD5 authentication needs help

On Wed, Mar  4, 2015 at 03:59:02PM -0500, Stephen Frost wrote:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > Bruce Momjian <bruce@momjian.us> writes:
> > > Let me update my list of possible improvements:
> > 
> > > 1)  MD5 makes users feel uneasy (though our usage is mostly safe)
> > 
> > > 2)  The per-session salt sent to the client is only 32-bits, meaning
> > > that it is possible to reply an observed MD5 hash in ~16k connection
> > > attempts.
> > 
> > > 3)  Using the user name for the MD5 storage salt allows the MD5 stored
> > > hash to be used on a different cluster if the user used the same
> > > password.
> > 
> > > 4)  Using the user name for the MD5 storage salt allows the MD5 stored
> > > hash to be used on the _same_ cluster.
> > 
> > > 5)  Using the user name for the MD5 storage salt causes the renaming of
> > > a user to break the stored password.
> > 
> > What happened to "possession of the contents of pg_authid is sufficient
> > to log in"?  I thought fixing that was one of the objectives here.
> 
> Yes, it certainly was.  I think Bruce was thinking that we could simply
> hash what goes on to disk with an additional salt that's stored, but
> that wouldn't actually work without requiring a change to the wireline
> protocol, which is the basis of this entire line of discussion, in my
> view.

I was not really focused on needing or not needing wire protocol
changes, but rather trying to understand the attack vectors and how they
could be fixed, in general.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +