Re: PATCH: warn about, and deprecate, clear text passwords
| От | Guillaume Lelarge |
|---|---|
| Тема | Re: PATCH: warn about, and deprecate, clear text passwords |
| Дата | |
| Msg-id | 0eda7bf1-bd05-4eb3-a50d-c138c4a9620f@dalibo.com обсуждение исходный текст |
| Ответ на | Re: PATCH: warn about, and deprecate, clear text passwords (Greg Sabino Mullane <htamfids@gmail.com>) |
| Список | pgsql-hackers |
On 24/02/2025 14:55, Greg Sabino Mullane wrote: > Guillaume Lelarge <guillaume.lelarge@dalibo.com > <mailto:guillaume.lelarge@dalibo.com>> wrote: > > I'm obviously +1 on this patch since I sent kinda the same patch two > weeks ago > > > Ha ha, my brain forgot about that one (even though I commented on it!) - > apologies for that. > No need to apologize :) > set password_encryption to 'md5'; > create user u4 password 'md5u1'; > ... > > It complains that I'm using a plain text password and a MD5- > encrypted password. Can't be both. (Probably not an issue with this > patch, but rather an issue with the commit that implemented MD5- > password warnings.) > > > This is correct - it can be both. Not only are we sending a password in > clear text, but we then encrypt it using MD5. Hence, two warnings. > > If I use a real md5 password, it only complains about MD5 encrypted > password: > > > Right. If someone sends us something that looks like an already- > encrypted password, we just store it. See get_password_type() in > backend/libpq/crypt.c. In which case, the actual password that a client > would type in would *not* be what was sent over the wire as part of the > ALTER USER / CREATE USER, so we don't complain. Sounds good to me. -- Guillaume Lelarge Consultant https://dalibo.com
В списке pgsql-hackers по дате отправления: