[38477] in bugtraq
Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
daemon@ATHENA.MIT.EDU (Stephen Frost)
Wed Apr 20 16:59:55 2005
Date: Wed, 20 Apr 2005 15:44:09 -0400
From: Stephen Frost <sfrost@snowman.net>
To: "David F. Skoll" <dfs@roaringpenguin.com>
Cc: pgsql-hackers@postgresql.org, bugtraq@securityfocus.com
Message-ID: <20050420194409.GR29028@ns.snowman.net>
Mail-Followup-To: "David F. Skoll" <dfs@roaringpenguin.com>,
pgsql-hackers@postgresql.org, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="s9kDAZ2EyO0AcRYa"
Content-Disposition: inline
In-Reply-To: <4266AF55.1070401@roaringpenguin.com>
--s9kDAZ2EyO0AcRYa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* David F. Skoll (dfs@roaringpenguin.com) wrote:
> Stephen Frost wrote:
> > The md5 hash which is generated for and stored in pg_shadow does not
> > use a random salt but instead uses the username which can generally be
> > determined ahead of time (especially for the 'postgres' superuser
> > account).
>=20
> I noted that this was a problem back in August, 2002:
>=20
> http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php
>=20
> Then, as now, the developers weren't very concerned.
I have some hopes that pointing out the rather large problem with the
md5 authentication mechanism in pg_hba.conf will lead them to discourage
it's use and thus reduce the occourances of the salt being made
available to the user giving more weight to the usefullness of having it
be a random salt. Additionally, it's been a few years, perhaps
viewpoints have changed.
Stephen
--s9kDAZ2EyO0AcRYa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD4DBQFCZrEJrzgMPqB3kigRAh1xAJ99NqvPavr1kxWW8LkTAkYno5+z6gCXWy5B
t+YPc1GeLQmn/SEFWng9Iw==
=QPZn
-----END PGP SIGNATURE-----
--s9kDAZ2EyO0AcRYa--
