[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication
Stephen Frost
sfrost at snowman.net
Thu Mar 5 16:51:22 UTC 2015
* Christoph Berg (myon at debian.org) wrote:
> Re: Stephen Frost 2015-03-04 <20150304145551.GU29780 at tamriel.snowman.net>
> > > Just to put the idea out there; PGSQL currently links to OpenSSL for
> > > TLS, right? TLS has support for SRP [0] [1]. This could be used for
> > > password based authenticated TLS sessions without client certificates.
> > > Might be less of a burden on users than deploying PKIX with
> > > client-certificates while still providing proper security.
> >
> > That's an excellent thought.. I wasn't aware of this. Unfortunately,
> > I'm not sure that we could make it the default in Debian as it requires
> > server-side certificates be configured and used properly (correct?) but
> > I don't see a reason to not support it and encourage its use.
>
> We have the autogenerated snakeoil certificates that we use anyway.
> If these aren't good (why?), we could put more automation in there and
> generate proper certificates. That's probably more of a
> distribution-wide topic and not just PostgreSQL, though.
They are sufficient to prevent snifffing but not man in the middle
attacks because you don't verify the server side. The 'md5' and
'password' authentication mechanisms available in PG do nothing to
address that either, and the proposed changes wouldn't fix that either.
SCRAM (possibly with TLS channel bindings, not sure..) would address
that issue, I believe.
Thanks!
Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150305/63391de5/attachment.sig>
More information about the Pkg-postgresql-public
mailing list