[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication

Michael Samuel mik at miknet.net
Wed Mar 4 01:25:12 UTC 2015


Just to make it clear:

- I don't recommend storing the password in cleartext
- I *do* recommend exchanging the password in cleartext over the network

This is because the exchange network protocol is vulnerable to "pass
the hash" - so somebody who has your pg_shadow but can't crack your
password can still use the hash to login.

In the thread it was pointed out that the network protocol is
vulnerable to session hijacking.  Additionally, the challenge-response
protocol is vulnerable to extremely fast password searches. This is
just another broken ad-hoc challenge-response protocol to be added to
the heap.  If anyone from postgres is interested in putting a
network-compatible fix for password hashing in, feel free to contact
me.


On 4 March 2015 at 12:09, Michael Samuel <mik at miknet.net> wrote:
> Hi,
>
> On 4 March 2015 at 12:03, Aaron Zauner <azet at azet.org> wrote:
>>> Uh, no, using 'password' is far worse, and uniformly so, than using md5.
>>> I have no idea why anyone would think it's better to store a cleartext
>>> version of your password in the pg_authid data (note that pg_shadow is
>>> only a view now, I replaced it long ago when I rewrote the user/group
>>> system to be role-based).
>
> I was referring to the pg_hba.conf setting in my recommendation.
> Using "password" there does not change the stored hash, it only
> changes the network protocol.
>
>> Agreed - most enterprise or cloud deployment I've been involved with
>> use either PKIX or kerberos. This is a good security measure.
>> Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a
>> debian bug report is the wrong place to discuss this.
>
> Agree that debian bug is wrong place to discuss fixing password hashing.



More information about the Pkg-postgresql-public mailing list