> Also, I think we should add to the client API the ability to only accept
> certain authentication schemes, to avoid active attacks tricking your
> software from sending the HMAC password in cleartext.
This is an interesting point. We have kept 'password' authentication
around for secondary password files and for very old clients, but now
see that having it around can be a security problem because you can ask
the client to send you cleartext passwords.
Comments?
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026