Benjamin Adida <ben@mit.edu> writes:
>> It doesn't sound like MD5 changes this at all.
> The MD5 definitely doesn't change anything except overall security strength
> of the algorithm.
OK, understood. So it seems that switching to MD5 would offer (a) more
portability to platforms without crypt(3), and (b) better security,
at the costs of (a) implementation effort and (b) cross-version
compatibility problems. We probably ought to keep that discussion
separate from the one about how the challenge protocol works.
> The additional random salt prevents someone from sniffing
> the communication between client and server and then simply log in by
> sending the known hash of the password. The challenge-response means that
> sniffing one login doesn't allow you to fake the next one.
How so? The server sends out one fixed salt (the one stored for that
user's password in pg_shadow) and one randomly-chosen salt. The client
sends back two crypted passwords. The server can check one of them.
What can it do with the other? Nothing that I can see, so where is the
security gain? A sniffer can still get in by sending back the same
pair of crypted passwords next time, no matter what random salt is
presented.
regards, tom lane