Bugtraq mailing list archives
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
From: Stephen Frost <sfrost () snowman net>
Date: Sat, 23 Apr 2005 09:02:37 -0400
* Antoine Martin (antoine () nagafix co uk) wrote:
Basically, multiple input data that have the same output hash, which is of no use when what you are trying to find is the input. Finding collisions quicker for a known input is one thing, but that is not going to reduce the search space, not even your storage space (it is unlikely that the colliding results would all be valid input).
Erm, you aren't necessairly trying to find the input... It may be the case that you're trying to find what you need to authenticate to this server, or any other PostgreSQL server where the same userid & input are used. In that case you just need something that hashes to the same thing. Using a random salt would mean that it's different per server so breaking it on one doesn't help you against another server unless you happened to find the actual original input.
Is adding the non-guessable salt that hard anyway?
It is if you want to continue to support the 'md5' method in pg_hba.conf because the wireline protocol will probably need to change. A less intrusive alternative would be to add an 'with encrypted password 'xyz' with random salt' or some such which would only be supported with the 'password' method in pg_hba.conf. One problem with this is that you then can't just switch from password to md5 or back again. Perhaps that's ok though? Comments? Stephen
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, (continued)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruce Momjian (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Antoine Martin (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Stephen Frost (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Antoine Martin (Apr 23)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Joshua D. Drake (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Lance James (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Rod Taylor (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Tino Wildenhain (Apr 21)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted Michael Samuel (Apr 22)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim Knoble (Apr 21)
- RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Mike Fratto (Apr 21)