[38478] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

daemon@ATHENA.MIT.EDU (David F. Skoll)
Wed Apr 20 17:06:33 2005

Message-ID: <4266AF55.1070401@roaringpenguin.com>
Date: Wed, 20 Apr 2005 15:36:53 -0400
From: "David F. Skoll" <dfs@roaringpenguin.com>
MIME-Version: 1.0
To: Stephen Frost <sfrost@snowman.net>
Cc: pgsql-hackers@postgresql.org, bugtraq@securityfocus.com
In-Reply-To: <20050420165055.GQ29028@ns.snowman.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Stephen Frost wrote:

>   The md5 hash which is generated for and stored in pg_shadow does not
>   use a random salt but instead uses the username which can generally be
>   determined ahead of time (especially for the 'postgres' superuser
>   account).

I noted that this was a problem back in August, 2002:

http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php

Then, as now, the developers weren't very concerned.

Regards,

David.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[38478] in bugtraq

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

daemon@ATHENA.MIT.EDU (David F. Skoll)Wed Apr 20 17:06:33 2005

daemon@ATHENA.MIT.EDU (David F. Skoll)
Wed Apr 20 17:06:33 2005