[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication
Michael Samuel
mik at miknet.net
Wed Mar 4 01:09:31 UTC 2015
Hi,
On 4 March 2015 at 12:03, Aaron Zauner <azet at azet.org> wrote:
>> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
>> I have no idea why anyone would think it's better to store a cleartext
>> version of your password in the pg_authid data (note that pg_shadow is
>> only a view now, I replaced it long ago when I rewrote the user/group
>> system to be role-based).
I was referring to the pg_hba.conf setting in my recommendation.
Using "password" there does not change the stored hash, it only
changes the network protocol.
> Agreed - most enterprise or cloud deployment I've been involved with
> use either PKIX or kerberos. This is a good security measure.
> Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a
> debian bug report is the wrong place to discuss this.
Agree that debian bug is wrong place to discuss fixing password hashing.
More information about the Pkg-postgresql-public
mailing list