Aaron,
* Aaron Zauner (a...@azet.org) wrote:
> I think we should take this discussion to an appropriate PostgreSQL
> mailing list (please feel free to include me in a thread if you start
> one). But I think it's best to close this bug for now. I agree that MD5
> needs to be replaced, but using pla
Hi,
I think we should take this discussion to an appropriate PostgreSQL
mailing list (please feel free to include me in a thread if you start
one). But I think it's best to close this bug for now. I agree that MD5
needs to be replaced, but using plaintext instead is certainly no option.
Aaron
* Christoph Berg (m...@debian.org) wrote:
> Re: Stephen Frost 2015-03-04 <20150304145551.gu29...@tamriel.snowman.net>
> > > Just to put the idea out there; PGSQL currently links to OpenSSL for
> > > TLS, right? TLS has support for SRP [0] [1]. This could be used for
> > > password based authenticat
* Michael Samuel (m...@miknet.net) wrote:
> I think the direction upstream is going with SCRAM (or similar) is
> fine, but either new hashes are required or using a customized code
> base that uses MD5(password|username) where the password would
> normally be directly input is needed.
For my 2c, I
On 5 March 2015 at 22:39, Aaron Zauner wrote:
> Yep. I confused SRP with PSK ciphersuites here. There're no ciphersuites
> that support PKIX and SRP. Unfortunately there's also only AES-CBC
> (mac-then-encrypt) as a possible option when using SRP.
> https://www.iana.org/assignments/tls-parameters
Michael Samuel wrote:
> Hi,
>
> On 5 March 2015 at 19:58, Christoph Berg wrote:
>>> That's an excellent thought.. I wasn't aware of this. Unfortunately,
>>> I'm not sure that we could make it the default in Debian as it requires
>>> server-side certificates be configured and used properly (co
Hi,
On 5 March 2015 at 19:58, Christoph Berg wrote:
>> That's an excellent thought.. I wasn't aware of this. Unfortunately,
>> I'm not sure that we could make it the default in Debian as it requires
>> server-side certificates be configured and used properly (correct?) but
>> I don't see a reas
Re: Stephen Frost 2015-03-04 <20150304145551.gu29...@tamriel.snowman.net>
> > Just to put the idea out there; PGSQL currently links to OpenSSL for
> > TLS, right? TLS has support for SRP [0] [1]. This could be used for
> > password based authenticated TLS sessions without client certificates.
> > M
Hi,
On 5 March 2015 at 01:25, Stephen Frost wrote:
> I was hoping for an option which would actually improve it, not make it
> the same as another mechanism that already exists..
Ok, so my general advice would definitely still be to use "password"
authentication for unix and TLS sockets. When p
Hi Stephen
Stephen Frost wrote:
>
> That's an excellent thought.. I wasn't aware of this. Unfortunately,
> I'm not sure that we could make it the default in Debian as it requires
> server-side certificates be configured and used properly (correct?) but
> I don't see a reason to not support it a
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
> Stephen Frost wrote:
> > We're currently looking at getting SCRAM support by implementing SASL,
> > but I'm worried that we'll then create a dependency on SASL that people
> > won't be happy with and therefore I'm very curious about how difficult
> >
Hi,
Stephen Frost wrote:
>
> PG supports client-side certificate based authentication which would be
> far better than any kind of password-based authentication. If password
> based auth is insisted upon then TLS to verify the server-side and
> protect the network connection would be good and re
Michael,
* Michael Samuel (m...@miknet.net) wrote:
> On 4 March 2015 at 15:22, Stephen Frost wrote:
> > That really just changes it back to the 'password' case though, doesn't
> > it? An attacker who can sniff the network would get the response from
> > the client and be able to use it in a repl
Hi,
On 4 March 2015 at 15:22, Stephen Frost wrote:
> That really just changes it back to the 'password' case though, doesn't
> it? An attacker who can sniff the network would get the response from
> the client and be able to use it in a replay attack just as if it was
> the password.
They can a
Michael,
* Michael Samuel (m...@miknet.net) wrote:
> On 4 March 2015 at 12:33, Stephen Frost wrote:
> > To be clear, I *am* from the PostgreSQL community and I'd be happy to
> > discuss any useful suggestions about providing an alternative that
> > doesn't break the wireline protocol, because as
Hi,
On 4 March 2015 at 12:33, Stephen Frost wrote:
> * Michael Samuel (m...@miknet.net) wrote:
>> - I don't recommend storing the password in cleartext
>> - I *do* recommend exchanging the password in cleartext over the network
>
> And I will continue to argue that it's far worse these days to se
* Michael Samuel (m...@miknet.net) wrote:
> - I don't recommend storing the password in cleartext
> - I *do* recommend exchanging the password in cleartext over the network
And I will continue to argue that it's far worse these days to send the
password in cleartext across the wire.
> This is bec
* Michael Samuel (m...@miknet.net) wrote:
> On 4 March 2015 at 12:03, Aaron Zauner wrote:
> >> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
> >> I have no idea why anyone would think it's better to store a cleartext
> >> version of your password in the pg_authid data (n
Just to make it clear:
- I don't recommend storing the password in cleartext
- I *do* recommend exchanging the password in cleartext over the network
This is because the exchange network protocol is vulnerable to "pass
the hash" - so somebody who has your pg_shadow but can't crack your
password c
Hi,
On 4 March 2015 at 12:03, Aaron Zauner wrote:
>> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
>> I have no idea why anyone would think it's better to store a cleartext
>> version of your password in the pg_authid data (note that pg_shadow is
>> only a view now, I r
Hi Stephen,
* Stephen Frost [04/03/2015 01:45:56] wrote:
> Aaron,
>
> * Aaron Zauner (a...@azet.org) wrote:
> > Debian ships a set of Perl scripts to configure for PostgreSQL server
> > configurations, these are quite outdated and are currently configuring
> > authentication to use MD5 when 'pas
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
> Debian ships a set of Perl scripts to configure for PostgreSQL server
> configurations, these are quite outdated and are currently configuring
> authentication to use MD5 when 'password' should be used instead.
Uh, no, using 'password' is far worse,
Package: postgresql
Severity: important
Tags: security
Hi,
Debian ships a set of Perl scripts to configure for PostgreSQL server
configurations, these are quite outdated and are currently configuring
authentication to use MD5 when 'password' should be used instead.
http://www.openwall.com/lists/
23 matches
Mail list logo
