Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Jeff Janes <jeff.janes@gmail.com> writes:
>>> I would suggest going further. I would make the change on the client side,
>>> and have libpq refuse to send unhashed passwords without having an
>>> environment variable set which allows it.
>> As noted, that would break LDAP and RADIUS auth methods; likely also PAM.
> Which would be an altogether good thing as all of those end up exposing
> sensitive information should the server be compromised and a user uses
> one of them to log in.
Hm. I'm less concerned about that scenario than about somebody snooping
the on-the-wire traffic. If we're going to invent a connection setting
for this, I'd say that in addition to "ok to send cleartext password"
and "never ok to send cleartext password", there should be a setting for
"send cleartext password only if connection is encrypted". Possibly
that should even be the default.
(I guess Unix-socket connections would be an exception, since we never
encrypt those.)
BTW, do we have a client-side setting to insist that passwords not be
sent in MD5 hashing either? A person who is paranoid about this would
likely want to disable that code path as well.
regards, tom lane