Re: Encrypting pg_shadow passwords

On Fri, 15 Jun 2001, Bruce Momjian wrote:

> > > Migrating old sites to encrypted pg_shadow passwords should be easy if a
> > > trigger on pg_shadow will look for unencrypted INSERTs and encrypt them.
> >
> > If encrypting pg_shadow will break the old-style crypt method, then I
> > think forcing a conversion via a trigger is unacceptable.  It will have
> > to be a DBA choice (at configure time, or possibly initdb?) whether to
> > use encryption or not in pg_shadow; accordingly, either crypt or "new
> > crypt" auth method will be supported by the server, not both.  But
> > client libraries could be built to support both auth methods.
>
> I hate to add initdb options because it may be confusing.  I wonder if
> we should have a script that encrypts the pg_shadow entries that can be
> run when the administrator knows that there are no old clients left
> around.  That way it can be run _after_ initdb.

Which clients actually read pg_shadow?  I always thought that only the
postmaster read it.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net        56K Nationwide Dialup from $16.00/mo
atPop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop Superstore
http://www.cloudninegifts.com
==========================================================================