Re: Postgresql security checks

On 8 September 2010 00:26, Bruce Momjian <bruce@momjian.us> wrote:
> Thom Brown wrote:
>> > It is documented here:
>> >
>> > ? ? ? ?http://www.postgresql.org/docs/9.0/static/encryption-options.html
>> > ? ? ? ?17.7. Encryption Options
>> > ? ? ? ?Encrypting Passwords Across A Network
>> >
>> > ? ? ? ? ? ?The MD5 authentication method double-encrypts the password on the
>> > ? ? ? ?client before sending it to the server. It first MD5-encrypts it based
>> > ? ? ? ?on the user name, and then encrypts it based on a random salt sent by
>> > ? ? ? ?the server when the database connection was made. It is this
>> > ? ? ? ?double-encrypted value that is sent over the network to the server.
>> > ? ? ? ?Double-encryption not only prevents the password from being discovered,
>> > ? ? ? ?it also prevents another connection from using the same encrypted
>> > ? ? ? ?password to connect to the database server at a later time.
>>
>> The difference with that is that it's talking about how passwords are
>> protected by a form of encryption when sent across a connection rather
>> than how they're stored in a database.
>
> Yes, you are right.  Should this be documented?  Where?

Whether it needs documenting, I'm not sure, but if it were to go
anywhere, I believe it would be here:
http://www.postgresql.org/docs/current/static/catalog-pg-authid.html

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935