Bugtraq mailing list archives
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: Stephen Frost <sfrost () snowman net>
Date: Wed, 20 Apr 2005 15:44:09 -0400
* David F. Skoll (dfs () roaringpenguin com) wrote:
Stephen Frost wrote:The md5 hash which is generated for and stored in pg_shadow does not use a random salt but instead uses the username which can generally be determined ahead of time (especially for the 'postgres' superuser account).I noted that this was a problem back in August, 2002: http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php Then, as now, the developers weren't very concerned.
I have some hopes that pointing out the rather large problem with the md5 authentication mechanism in pg_hba.conf will lead them to discourage it's use and thus reduce the occourances of the salt being made available to the user giving more weight to the usefullness of having it be a random salt. Additionally, it's been a few years, perhaps viewpoints have changed. Stephen
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 20)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruce Momjian (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 20)