Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Bruce Momjian <pgman@xxxxxxxxxxxxxxxx> writes:
> That's what I told him. I think his concern about pre-computed hashes
> is the only real issue, and give 'postgres' is usually the super-user, I
> can see someone pre-computing md5 postgres hashes and doing quick
> comparisons, perhaps as a root kit so you don't have to do the hashing
> yourself. I personally don't find that very compelling either.
Lessee ... we'll include a complete password hash table in a root kit,
which will be used at a point where we've already managed to read
pg_shadow but are somehow still lacking the ability to do anything else
we could want to the database ... nope, not very compelling.
regards, tom lane