[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication

Michael Samuel mik at miknet.net
Wed Mar 4 01:09:31 UTC 2015


Hi,

On 4 March 2015 at 12:03, Aaron Zauner <azet at azet.org> wrote:
>> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
>> I have no idea why anyone would think it's better to store a cleartext
>> version of your password in the pg_authid data (note that pg_shadow is
>> only a view now, I replaced it long ago when I rewrote the user/group
>> system to be role-based).

I was referring to the pg_hba.conf setting in my recommendation.
Using "password" there does not change the stored hash, it only
changes the network protocol.

> Agreed - most enterprise or cloud deployment I've been involved with
> use either PKIX or kerberos. This is a good security measure.
> Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a
> debian bug report is the wrong place to discuss this.

Agree that debian bug is wrong place to discuss fixing password hashing.



More information about the Pkg-postgresql-public mailing list