[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication
Aaron Zauner
azet at azet.org
Wed Mar 4 01:03:33 UTC 2015
Hi Stephen,
* Stephen Frost <sfrost at snowman.net> [04/03/2015 01:45:56] wrote:
> Aaron,
>
> * Aaron Zauner (azet at azet.org) wrote:
> > Debian ships a set of Perl scripts to configure for PostgreSQL server
> > configurations, these are quite outdated and are currently configuring
> > authentication to use MD5 when 'password' should be used instead.
>
> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
> I have no idea why anyone would think it's better to store a cleartext
> version of your password in the pg_authid data (note that pg_shadow is
> only a view now, I replaced it long ago when I rewrote the user/group
> system to be role-based).
>
I assumed 'password' is an alias for a stronger hashing scheme. Mea
culpa, I should have read the source-code, not only the package
content and upstream defaults. I was not aware that 'password' is
indeed 'plaintext'.
> Absolutely no would be the answer.
Given your explaination I totally agree here. I'm good to close this
- but let's wait if mik replies to this as well.
> The PG community has long been discussing the possibility of providing a
> new authentication mechanism to replace the md5 one, but anyone who
> actually cares about security will be using Kerberos or Certificate
> based authentication anyway, so it hasn't been a priority.
Agreed - most enterprise or cloud deployment I've been involved with
use either PKIX or kerberos. This is a good security measure.
Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a
debian bug report is the wrong place to discuss this.
Thanks for clearing this up & your quick reply,
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150304/57dae3e6/attachment.sig>
More information about the Pkg-postgresql-public
mailing list