Обсуждение: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

Crypt sounds good.  I like that Idea.  I also use the unix crypt
function to password protect httpd.

Right now this is done with PERL doing the encryption and sticking
it into the database in a char field.  Then, another prog dumps
the passwords periodically into the httpd password file.

This would allow me to export the crypted passwords to the webserver
as well?  It would be convenient to be able to use the same password
in both places.

------- OTHER WISE ---- CAN WE STEAL IDEAS FROM OTHERS? --------

I'm also running MySQL (trying to switch to PG, but waiting for ODBC
to catch up), I like the mysql feature of inserting passords by:

    insert into user (host,user,password)
    values ("domain.com","dlorenso",password('psswrd');

then if I

    select (host,user,password) * from user;

I will get something like:

...
| domain.com | dlorenso | 2cfcb63e23e2d463 |
...

Dante


.------------------------------------------.-----------------------.
|  _ dlorenso@afai.com - D. Dante Lorenso  | Network Administrator |
| | |    ___  _ _  ___  __ _  ___  ___     |                       |
| | |__ / o \| '_|/ o_\|  \ |\_ _\/ o \    | Accounting Firms      |
| |____|\___/|_|  \___/|_|\_|\___|\___/    | Associated, inc.      |
| http://www.afai.com/~dlorenso            | http://www.afai.com/  |
'------------------------------------------'-----------------------'
-----Original Message-----
From: Brett McCormick <brett@work.chicken.org>
To: Jan Wieck <jwieck@debis.com>
Cc: Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>;
pgsql-hackers@hub.org <pgsql-hackers@hub.org>
Date: Thursday, February 19, 1998 12:53 PM
Subject: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)


>
>Have we considering using the unix crypt function for passwords?  That
>way it wouldn't matter (as much) if people saw the password, and would
>still be (somewhat less) secure.
>
>On Thu, 19 February 1998, at 15:55:07, Jan Wieck wrote:
>
>>     Cracked!
>>
>>     create table get_passwds (usename name, passwd text);
>>     insert into get_passwds select usename, passwd from pg_user;
>>     select * from get_passwds;
>>     usename|passwd
>>     -------+------
>>     pgsql  |
>>     wieck  |test
>>     (2 rows)
>>
>>
>>
>> Sorry, Jan
>>
>> --
>>
>> #======================================================================#
>> # It's easier to get forgiveness for being wrong than for being right. #
>> # Let's break this rule - forgive me.                                  #
>> #======================================== jwieck@debis.com (Jan Wieck) #
>>
>>
>

> ------- OTHER WISE ---- CAN WE STEAL IDEAS FROM OTHERS? --------
>
> I'm also running MySQL (trying to switch to PG, but waiting for ODBC
> to catch up), I like the mysql feature of inserting passords by:
>
>     insert into user (host,user,password)
>     values ("domain.com","dlorenso",password('psswrd');

Hmmm... When I read this, another (related) idea pops into my head.
It's probably nothing, but:

what about defining a new type 'passwd', with
an input (or output) routine which does the crypting?

Cheers,
Ronald

>
> > ------- OTHER WISE ---- CAN WE STEAL IDEAS FROM OTHERS? --------
> >
> > I'm also running MySQL (trying to switch to PG, but waiting for ODBC
> > to catch up), I like the mysql feature of inserting passords by:
> >
> >     insert into user (host,user,password)
> >     values ("domain.com","dlorenso",password('psswrd');
>
> Hmmm... When I read this, another (related) idea pops into my head.
> It's probably nothing, but:
>
> what about defining a new type 'passwd', with
> an input (or output) routine which does the crypting?

If they do a binary cursor, does the output function get called?

--
Bruce Momjian
maillist@candle.pha.pa.us

> >
> > > ------- OTHER WISE ---- CAN WE STEAL IDEAS FROM OTHERS? --------
> > >
> > > I'm also running MySQL (trying to switch to PG, but waiting for ODBC
> > > to catch up), I like the mysql feature of inserting passords by:
> > >
> > >     insert into user (host,user,password)
> > >     values ("domain.com","dlorenso",password('psswrd');
> >
> > Hmmm... When I read this, another (related) idea pops into my head.
> > It's probably nothing, but:
> >
> > what about defining a new type 'passwd', with
> > an input (or output) routine which does the crypting?
>
> If they do a binary cursor, does the output function get called?

Oops, I haven't thought about that. I guess it doesn't :(
Ok, what about an input routine that does the crypting?

One down, one to go...

Cheers,
Ronald

>
> > >
> > > > ------- OTHER WISE ---- CAN WE STEAL IDEAS FROM OTHERS? --------
> > > >
> > > > I'm also running MySQL (trying to switch to PG, but waiting for ODBC
> > > > to catch up), I like the mysql feature of inserting passords by:
> > > >
> > > >     insert into user (host,user,password)
> > > >     values ("domain.com","dlorenso",password('psswrd');
> > >
> > > Hmmm... When I read this, another (related) idea pops into my head.
> > > It's probably nothing, but:
> > >
> > > what about defining a new type 'passwd', with
> > > an input (or output) routine which does the crypting?
> >
> > If they do a binary cursor, does the output function get called?
>
> Oops, I haven't thought about that. I guess it doesn't :(
> Ok, what about an input routine that does the crypting?
>
> One down, one to go...
>
> Cheers,
> Ronald
>

Then, the backend can't find the original password to test the random
salt on.
--
Bruce Momjian
maillist@candle.pha.pa.us