>
> > Bruce Momjian <maillist@candle.pha.pa.us> writes:
> > >> DB admin has no business knowing other's passwords. The current security
> > >> scheme is seriously flawed.
> >
> > > But it is the db passwords, not the Unix passwords.
> >
> > I think the original point was that some people use the same or related
> > passwords for psql as for their login password.
> >
> > Nonetheless, since we have no equivalent of "passwd" that would let a
> > db user change his db password for himself, it's a little silly to
> > talk about hiding db passwords from the admin who puts them in.
> >
> > If this is a concern, we'd need to add both encrypted storage of
> > passwords and a remote-password-change feature.
>
> Doing the random salt over the wire would still be a problem.
And I don't like password's at all. Well, up to now the bare
PostgreSQL doesn't need anything else. But would it really
hurt to use ssl in the case someone needs security? I don't
know exactly, but the authorized keys might reside in a new
system catalog. So such a secure installation can live with a
wide open hba.conf and who can be who is controlled by
pg_authorizedkeys then.
As a side effect, all communication between the backend and
the client would be crypted, so no wire listener could see
anything :-)
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#========================================= wieck@debis.com (Jan Wieck) #