Greetings, * Tatsuo Ishii (is...@sraoss.co.jp) wrote: > > Yes, really, it's a known-broken system which suffers from such an old > > and well known attack that it's been given a name: pass-the-hash. As > > was discussed on this thread even, just the fact that it's not trivial > > to break on the wire doesn't make it not-broken, particularly when we > > use the username (which is rather commonly the same one used across > > multiple systems..) as the salt. Worse, md5 isn't exactly the pinnacle > > I am not a big fan of md5 auth but saying that md5 auth uses username > as the salt is oversimplified. The md5 hashed password shored in > pg_shadow is created as md5(password + username). But the md5 hashed > password flying over wire is using a random salt like md5(md5(password > + username) + random_salt).
Err, no, it's not oversimplified at all- we do, in fact, as you say above, use the username as the salt for what gets stored in pg_authid (pg_shadow is just a view). That's absolutely a problem because servers can be compromised, backups can be compromised, and when it comes to PG servers you don't even need to actually bother cracking the password once you've gained access to an md5 value in pg_authid anyway. Yes, we do use a challenge/response over the wire but that doesn't absolve us of the fact that the hashes we store in pg_authid with the md5 method is subject to pass-the-hash and brute-force attacks against it. If anything, the challenge/response over the wire is less useful considering the common usage of TLS these days. Thanks, Stephen
signature.asc
Description: PGP signature
