Re: Encrypting pg_shadow passwords

At 12:51 AM 26-06-2001 -0400, Jim Mercer wrote:

>my mods are server-side only.
>
>to rewind a bit.
>
>my mods correct this by doing:
>
>with an AUTH_ARGUMENT == "pg_shadow", the process is:
>tmp_pwd = crypt(client->passwd, pg_shadow->passwd)
>if strcmp(tmp_pwd, pg_shadow->passwd) == 0
>   access allowed
>else
>   access not allowed
>
>this is not so much an enhancement, but a correction of what i think the
>original "password" authentication scheme was supposed to allow.
>

Yep it's a correction. pg_shadow shouldn't have been in plaintext in the
first place.
host all 127.0.0.1 255.255.255.255 password 
should have meant check crypted passwords in pg_shadow.

Given your suggestion, what happens when someone does an ALTER USER ...
WITH PASSWORD ....? 

Might it be too late to do a fix? 

HMAC sounds interesting. What would the impact be on stuff like Pg DBD?

Cheerio,
Link.