[38486] in bugtraq
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
daemon@ATHENA.MIT.EDU (Tom Lane)
Wed Apr 20 18:57:18 2005
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: "Jim C. Nasby" <decibel@decibel.org>, Stephen Frost <sfrost@snowman.net>,
pgsql-hackers@postgresql.org, bugtraq@securityfocus.com
In-reply-to: <200504202210.j3KMAgf21874@candle.pha.pa.us>
Date: Wed, 20 Apr 2005 18:17:40 -0400
Message-ID: <6250.1114035460@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> That's what I told him. I think his concern about pre-computed hashes
> is the only real issue, and give 'postgres' is usually the super-user, I
> can see someone pre-computing md5 postgres hashes and doing quick
> comparisons, perhaps as a root kit so you don't have to do the hashing
> yourself. I personally don't find that very compelling either.
Lessee ... we'll include a complete password hash table in a root kit,
which will be used at a point where we've already managed to read
pg_shadow but are somehow still lacking the ability to do anything else
we could want to the database ... nope, not very compelling.
regards, tom lane
