Bugtraq mailing list archives

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Wed, 20 Apr 2005 15:36:53 -0400

Stephen Frost wrote:

  The md5 hash which is generated for and stored in pg_shadow does not
  use a random salt but instead uses the username which can generally be
  determined ahead of time (especially for the 'postgres' superuser
  account).


I noted that this was a problem back in August, 2002:

http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php

Then, as now, the developers weren't very concerned.

Regards,

David.

Current thread:

Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 20)
  - Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 20)
- Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
  - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruce Momjian (Apr 20)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Tom Lane (Apr 20)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords David F. Skoll (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Jim C. Nasby (Apr 20)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Stephen Frost (Apr 21)
    - Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords Bruno Wolff III (Apr 22)

(Thread continues...)