Hi,
I think we should take this discussion to an appropriate PostgreSQL
mailing list (please feel free to include me in a thread if you start
one). But I think it's best to close this bug for now. I agree that MD5
needs to be replaced, but using plaintext instead is certainly no option.
Aaron
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
I think we should take this discussion to an appropriate PostgreSQL
mailing list (please feel free to include me in a thread if you start
one). But I think it's best to close this bug for now. I agree that MD5
needs to be replaced, but using
* Michael Samuel (m...@miknet.net) wrote:
I think the direction upstream is going with SCRAM (or similar) is
fine, but either new hashes are required or using a customized code
base that uses MD5(password|username) where the password would
normally be directly input is needed.
For my 2c, I'm
* Christoph Berg (m...@debian.org) wrote:
Re: Stephen Frost 2015-03-04 20150304145551.gu29...@tamriel.snowman.net
Just to put the idea out there; PGSQL currently links to OpenSSL for
TLS, right? TLS has support for SRP [0] [1]. This could be used for
password based authenticated TLS
Re: Stephen Frost 2015-03-04 20150304145551.gu29...@tamriel.snowman.net
Just to put the idea out there; PGSQL currently links to OpenSSL for
TLS, right? TLS has support for SRP [0] [1]. This could be used for
password based authenticated TLS sessions without client certificates.
Might be
Hi,
On 5 March 2015 at 19:58, Christoph Berg m...@debian.org wrote:
That's an excellent thought.. I wasn't aware of this. Unfortunately,
I'm not sure that we could make it the default in Debian as it requires
server-side certificates be configured and used properly (correct?) but
I don't
Michael Samuel wrote:
Hi,
On 5 March 2015 at 19:58, Christoph Berg m...@debian.org wrote:
That's an excellent thought.. I wasn't aware of this. Unfortunately,
I'm not sure that we could make it the default in Debian as it requires
server-side certificates be configured and used properly
On 5 March 2015 at 22:39, Aaron Zauner a...@azet.org wrote:
Yep. I confused SRP with PSK ciphersuites here. There're no ciphersuites
that support PKIX and SRP. Unfortunately there's also only AES-CBC
(mac-then-encrypt) as a possible option when using SRP.
Hi Stephen
Stephen Frost wrote:
That's an excellent thought.. I wasn't aware of this. Unfortunately,
I'm not sure that we could make it the default in Debian as it requires
server-side certificates be configured and used properly (correct?) but
I don't see a reason to not support it and
Hi,
On 5 March 2015 at 01:25, Stephen Frost sfr...@snowman.net wrote:
I was hoping for an option which would actually improve it, not make it
the same as another mechanism that already exists..
Ok, so my general advice would definitely still be to use password
authentication for unix and TLS
Hi,
Stephen Frost wrote:
PG supports client-side certificate based authentication which would be
far better than any kind of password-based authentication. If password
based auth is insisted upon then TLS to verify the server-side and
protect the network connection would be good and remove
Michael,
* Michael Samuel (m...@miknet.net) wrote:
On 4 March 2015 at 15:22, Stephen Frost sfr...@snowman.net wrote:
That really just changes it back to the 'password' case though, doesn't
it? An attacker who can sniff the network would get the response from
the client and be able to use
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
Stephen Frost wrote:
We're currently looking at getting SCRAM support by implementing SASL,
but I'm worried that we'll then create a dependency on SASL that people
won't be happy with and therefore I'm very curious about how difficult
it'd be
Hi Stephen,
* Stephen Frost sfr...@snowman.net [04/03/2015 01:45:56] wrote:
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
Debian ships a set of Perl scripts to configure for PostgreSQL server
configurations, these are quite outdated and are currently configuring
authentication to use MD5
* Michael Samuel (m...@miknet.net) wrote:
On 4 March 2015 at 12:03, Aaron Zauner a...@azet.org wrote:
Uh, no, using 'password' is far worse, and uniformly so, than using md5.
I have no idea why anyone would think it's better to store a cleartext
version of your password in the pg_authid
Aaron,
* Aaron Zauner (a...@azet.org) wrote:
Debian ships a set of Perl scripts to configure for PostgreSQL server
configurations, these are quite outdated and are currently configuring
authentication to use MD5 when 'password' should be used instead.
Uh, no, using 'password' is far worse,
Just to make it clear:
- I don't recommend storing the password in cleartext
- I *do* recommend exchanging the password in cleartext over the network
This is because the exchange network protocol is vulnerable to pass
the hash - so somebody who has your pg_shadow but can't crack your
password
* Michael Samuel (m...@miknet.net) wrote:
- I don't recommend storing the password in cleartext
- I *do* recommend exchanging the password in cleartext over the network
And I will continue to argue that it's far worse these days to send the
password in cleartext across the wire.
This is
Hi,
On 4 March 2015 at 12:03, Aaron Zauner a...@azet.org wrote:
Uh, no, using 'password' is far worse, and uniformly so, than using md5.
I have no idea why anyone would think it's better to store a cleartext
version of your password in the pg_authid data (note that pg_shadow is
only a view
Hi,
On 4 March 2015 at 15:22, Stephen Frost sfr...@snowman.net wrote:
That really just changes it back to the 'password' case though, doesn't
it? An attacker who can sniff the network would get the response from
the client and be able to use it in a replay attack just as if it was
the
Michael,
* Michael Samuel (m...@miknet.net) wrote:
On 4 March 2015 at 12:33, Stephen Frost sfr...@snowman.net wrote:
To be clear, I *am* from the PostgreSQL community and I'd be happy to
discuss any useful suggestions about providing an alternative that
doesn't break the wireline protocol,
Hi,
On 4 March 2015 at 12:33, Stephen Frost sfr...@snowman.net wrote:
* Michael Samuel (m...@miknet.net) wrote:
- I don't recommend storing the password in cleartext
- I *do* recommend exchanging the password in cleartext over the network
And I will continue to argue that it's far worse
22 matches
Mail list logo
