I'm not sure how adequately these topics are covered elsewhere, but you
should probably provide at least a pointer if not improved information:
* Should have a mention of the pgcrypto code in contrib.
* Brain hiccup, but isn't there some type of "password" datatype
* Explanation of problems/solutions of using md5 passwords inside
postgresql. this has tripped up a lot of people upgrading to 7.3
* possibly go into server resource issues and the pitfalls in giving
free form sql access to just anyone. (Think unconstrained join on all
tables in a database)
hth,
Robert Treat
On Mon, 2003-01-20 at 00:01, Dan Langille wrote:
> With reference to my post to the "PostgreSQL Password Cracker" on
> 2003-01-02, I've promised to write a security document for the project.
> Here it is, Sunday night, and I can't sleep. What better way to get there
> than start this task...
>
> My plan is to write this in very simple HTML. I will post the draft
> document on my website and post the URL here from time to time for
> feedback. Please make suggestions for content. So far, I will cover these
> items:
>
> - .pgpass (see
> http://developer.postgresql.org/docs/postgres/libpq-files.html)
> - local connections
> - remote connections (recommending SSL)
> - pg_hba (only in passing, most of that is at
> http://www.postgresql.org/idocs/index.php?client-authentication.html)
> - running the postmaster as a specific user
>
> That doesn't sound like much. Surely you can think of something else to
> add. Should I post this to another list for their views?
>
> OK, that's done it. I'm ready for sleep now.