Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> Probably the way to attack this would be to combine MD5 and this double
>> password-munging algorithm as a new authentication protocol type to add
>> to the ones we already support. That way old clients don't have to be
>> updated instantly.
> Not sure that will work because once we use md5 on the server side for
> pg_shadow, we have to be able to do md5 on the client, I think, for
> crypting because the md5 has to be done _before_ the random salt crypt.
We can still support old clients under the cleartext-password protocol:
client sends password in clear, server MD5's it using salt from
pg_shadow and compares result. This is vulnerable to sniffing but no
more so than it was before. What we would lose is backwards
compatibility to the crypt-password protocol. We should still choose
a new Authentication typecode for the MD5/double-hash protocol, just to
make sure no one gets confused about which protocol is being requested.
If these reports are correct that some platforms already have MD5, not
DES, inside crypt(3) then I'm definitely leaning towards going with MD5.
The best reason to stick with crypt as the hash engine would be to
preserve support for the existing crypt-based protocol, but if that's
already broken cross-platform then the value of continuing to support it
looks pretty dubious. (After all, the clients on your own box are
probably getting updated at the same time as the server --- it's clients
on other boxes that you're really worried about backwards compatibility
for.)
regards, tom lane