* Michael Samuel (m...@miknet.net) wrote: > On 4 March 2015 at 12:03, Aaron Zauner <a...@azet.org> wrote: > >> Uh, no, using 'password' is far worse, and uniformly so, than using md5. > >> I have no idea why anyone would think it's better to store a cleartext > >> version of your password in the pg_authid data (note that pg_shadow is > >> only a view now, I replaced it long ago when I rewrote the user/group > >> system to be role-based). > > I was referring to the pg_hba.conf setting in my recommendation. > Using "password" there does not change the stored hash, it only > changes the network protocol.
Then it's simply a trade-off between trusting the network traffic, as
the password will then be sent *in-cleartext* across the wire, and
trusting the data on disk (which, as discussed, if you have access to
already then you hardly need the password). PG does allow you to make
that trade-off, but having a challenge/response to protect the hash of
the password as it goes across the network is far more useful than
trying to protect something in pg_authid, which you can only get if
you've already compromised the postgres account.
> > Agreed - most enterprise or cloud deployment I've been involved with
> > use either PKIX or kerberos. This is a good security measure.
> > Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a
> > debian bug report is the wrong place to discuss this.
>
> Agree that debian bug is wrong place to discuss fixing password hashing.
The current discussion in the community is about implementing SCRAM with
SASL as an additional authentication method. You would certainly be
welcome to provide any thoughts you have to the thread on pgsql-hackers.
Thanks,
Stephen
signature.asc
Description: Digital signature
