Password thread (was: Re: [HACKERS] Updated TODO list)

Agreed: over the wire is _very_ important. The question remains: does the
pgsql development team want to take on the responsibility of implementing
such a scheme at the application layer? There are plenty of very good
link/network/transport layer schemes in existence already. You'd just 
be reinventing.

In a benign environment you don't worry about securing the wire (as with
protocols like telnet/rlogin, ftp and POP/IMAP). In a more cautious
environment, you apply well-known and understood encryption/authentication
schemes at a layer below the application (IPsec, SSH, SSL, Java security,
Kerberos, and there are plenty in the Microsoft world too).

But above all: do not store passwords in cleartext. It makes it
ridiculously easy for an attacker to take over user accounts.  Let's say
they're kiddies who cracked root just by using a widely available exploit,
then, for free, they get the rest of the passwords in clear. Bonus!

Ciao--Louis  <louis@bertrandtech.on.ca> 

Louis Bertrand       http://www.bertrandtech.on.ca
Bertrand Technical Services, Bowmanville, ON, Canada  
Tel: +1.905.623.8925  Fax: +1.905.623.3852

OpenBSD: Secure by default.  http://www.openbsd.org/

On Thu, 15 Jul 1999, Bruce Momjian wrote:

> > I agree with Gene. Following this discussion, I sense a reluctance to
> > implement stronger password schemes because of the extra development
> > hassles (compatibility, crypto prohibitions, maintenance).
> > 
> > 1) Divide and conquer: the developers are concerned about both "over the
> > wire" and server passwords. I suggest you focus on the server side and
> > leave the over the wire security to the DB admin/sys.admin as an
> > installation issue. If they choose to use SSL, SSH, IPsec or a home-grown
> > authentication handshake, that's of no concern to pgsql. Just think of it
> > as a telnet session into the server.
> > 
> > 2) On the server side, use the native crypt(3) by default (or the NT
> > equivalent) and store the password hash. The strength of the crypt will
> > vary depending on the installation, but that's really up to the choice of
> > OS and installation. If someone wants to patch for PAM, Kerberos or
> > whatever, that's fine too, as long as you can always revert back to the
> > plain old crypt(3).
> > 
> 
> I disagree.  Over the wire seems more important than protecting the
> passwords from the eyes of the database administrator, which in _most_
> cases is the system owner anyway.
> 
> -- 
>   Bruce Momjian                        |  http://www.op.net/~candle
>   maillist@candle.pha.pa.us            |  (610) 853-3000
>   +  If your life is a hard drive,     |  830 Blythe Avenue
>   +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
> 
> 
>