Jodi Kanter wrote: > We are currently using the pg_passwd utility to encrypt passwords. > Someone here told me that I can now encrypt passwords within postgresql > so that they are not stored in plain text in the pg_shadow file. > Is this true? I cannot seem to find any mention of it in my postgresql > books but it's quite possible that they were all written prior to the > release of 7.2.
See http://www.postgresql.org/idocs/index.php?runtime-config.html , a bit more than half way down: "PASSWORD_ENCRYPTION (boolean) When a password is specified in CREATE USER or ALTER USER without writing either ENCRYPTED or UNENCRYPTED, this flag determines whether the password is to be encrypted. The default is off (do not encrypt the password), but this choice may change in a future release. " You can change this in postgresql.conf. Note that ENCRYPTED is the default as of 7.3. Also see ALTER USER: http://www.postgresql.org/idocs/index.php?sql-alteruser.html And pg_hba.conf: http://www.postgresql.org/idocs/index.php?client-authentication.html#PG-HBA-CONF Look for md5. The basic idea is that ENCRYPTED vs UNENCRYPTED default is controlled by PASSWORD_ENCRYPTION in the postgresql.conf file. ALTER USER can explicitly set a user's password as ENCRYPTED. You need to modify pg_hba.conf to allow "md5" instead of "password" HTH, Joe ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
