Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

Поиск
Список
Период
Сортировка
От Greg Stark
Тема Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Дата
Msg-id 87r7h3bjhu.fsf@stark.xeocode.com
обсуждение исходный текст
Ответ на Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords  (Bruce Momjian <pgman@candle.pha.pa.us>)
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения 
Stephen Frost <sfrost@snowman.net> writes:

> With the 'md5' method the server will send will send a randomly
> generated salt to the client which will then concatenate the user's name
> to the password, perform an md5 on that result, then concatenate the
> result of the md5 to the salt provided by the server and will then md5
> that.  

I think that in this case calling it a salt altogether is wrong. It's a
"challenge".

And I'm inclined to suggest that this authentication method be removed
altogether. The security flaw is that it exists at all. Not the details of the
implementation.

-- 
greg

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Stephen Frost
Дата:
Сообщение: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Следующее
От: Alvaro Herrera
Дата:
Сообщение: Re: Proposal for background vacuum full/cluster