Re: Encrypting pg_shadow passwords
| От | fche@redhat.com (Frank Ch. Eigler) |
|---|---|
| Тема | Re: Encrypting pg_shadow passwords |
| Дата | |
| Msg-id | o5lmmegh3j.fsf@toenail.toronto.redhat.com обсуждение исходный текст |
| Ответ на | Re: Re: Encrypting pg_shadow passwords (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Re: Encrypting pg_shadow passwords
|
| Список | pgsql-hackers |
pgman wrote: : OK, I get you now. Why not ask the client to do a crypt and compare : that to pg_shadow. [...] You can't trust the client to do the one-way encryption, for then the encrypted password becomes plaintext-equivalent - it defeats the purpose. (The SMB protocol apparently suffers or suffered from a similar flaw.) tgl wrote: : What this discussion seems to come down to is whether we should take a : backward step in one area of security (security against wire-sniffing) : to take a forward step in another (not storing plaintext passwords). : [...] It seems to me that the two issues are orthogonal. Authentication and confidentiality are not mutually dependent or reinforcing, and thus generally need separate mechanisms. - FChE
В списке pgsql-hackers по дате отправления: