Re: Re: Proposal for encrypting pg_shadow passwords

Bruce Momjian writes:

> OK, here is a new patch that creates a new md5 keyword on pg_hba.conf.
> That certainly makes my coding easier, and when I apply the patch to use
> larger salt for MD5, there is now a good reason to have a different
> keyword.  With the old system, they could have used an old client to
> reply a sniffed packet, while now, if the host is set to MD5, they have
> a much larger namespace with no fallback to crypt.

I don't follow this argument.  You added a config option that toggles
whether to use the old crypt(3) method or the new md5 method.  If the old
method is enabled then everything works as until now.  If the new method
is enabled, old clients will fail smoothly.  I don't see why you need to
introduce a new authentication type token; I thought the idea was to allow
this to work transparently.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter