Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

To: Stephen Frost <sfrost@xxxxxxxxxxx>
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: "David F. Skoll" <dfs@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2005 15:36:53 -0400
Cc: pgsql-hackers@xxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050420165055.GQ29028@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050420165055.GQ29028@xxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2 (X11/20050317)

Stephen Frost wrote:

>   The md5 hash which is generated for and stored in pg_shadow does not
>   use a random salt but instead uses the username which can generally be
>   determined ahead of time (especially for the 'postgres' superuser
>   account).

I noted that this was a problem back in August, 2002:

http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php

Then, as now, the developers weren't very concerned.

Regards,

David.

Follow-Ups:
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost

References:
- Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost

Prev by Date: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Next by Date: cpio directory traversal vulnerability
Previous by thread: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Next by thread: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Index(es):
- Date
- Thread