-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Nighswonger wrote: > On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Chris Nighswonger wrote: >>> On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: >>> Maybe hash it in the Java script (or whatever method you choose), >>> store the hash in a cookie, transmit the hash, have the code unhash >>> and pass the password to the DBI connect routine. Thus the only place >>> the password is in plain text is in the connect routine. (One must >>> wonder why the connect routine is not written to take hashed passwords >>> to begin with.) >> Or perhaps just require ssl connectivity to postgresql. > > I had this thought as well, but was not sure whether this was > considered part of deployment of LedgerSMB rather than coding and > therefore the responsibility of the installer/admin. In any case ssl > adds more security to the dataflow in general, whether or not it is > the solution in this case.
IMO this is a problem, in general to the idea of having roles in the database, regardless of application. My take is very simple: 1. Document strongly that SSL enabled postgresql is the way to run LedgerSMB. Provide links, howtos etc... 2. Document that if they are unable to use PostgreSQL with ssl that they need a secondary authentication system such as http-auth in front of PostgreSQL. In short, imo this is an administrator problem, not a LSMB problem. Joshua D. Drake > > Chris > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ledger-smb-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel > - -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 24x7/Emergency: +1.800.492.2240 PostgreSQL solutions since 1997 http://www.commandprompt.com/ UNIQUE NOT NULL Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL Replication: http://www.commandprompt.com/products/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHAndrATb/zqfZUUQRApUjAJ9kLElZwZ/vteD/XtLdldRoT3VBfwCcD/vp O1d968vyp42nyRDtskGhFIo= =ozFg -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ledger-smb-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
