Re: PostgreSQL Password Cracker

<br /><br /> Bruce Momjian wrote:<br /><blockquote cite="mid200301012309.h01N9ZO28410@candle.pha.pa.us"
type="cite"><prewrap="">mlw wrote: </pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">The comments at
thetop suggest sniffing a Postgres session startup
 
exchange in order to see the MD5 value that the user presents; which the
attacker would then give to this program.  (Forget it if the session is
Unix-local rather than TCP, or if it's SSL-encrypted...)

This is certainly a theoretically possible attack against someone who
has no clue about security, but I don't put any stock in it as a
practical attack.  For starters, if you are talking to your database
across a network that is open to hostile sniffers, you should definitely
be using SSL.
     </pre></blockquote><pre wrap="">This is absolutely correct, shouldn't this be in the FAQ?
</pre></blockquote><prewrap="">
 
Well, this is a pretty rare issue, so it doesn't seem like an FAQ.
People need to understand the ramifications of the various pg_hba.conf
settings, and I think our documentation does that. </pre></blockquote> A good DBA will probably read the docs, a bad
DBAwill probably not, and it is the bad DBA that needs to be guided the most.<br /><br /> Maybe not FAQ, but is the a
shortpage of "dos and don'ts?<br /><br /><br />