Tom Lane wrote:
> One possibility that comes to mind is that we store MD5(MD5(password))
> in pg_shadow, and expect the client to transmit MD5(password).
> Of course that needs a cloaking scheme if you want to protect against
> password sniffing, but offhand it seems that the same scheme Ben Adida
> proposed should still work...
That would be pretty close to the RFC 2617 Digest Authentication. Why
don't we use that? Using a existing, widespread standard is good in
terms of portability, and saves on validating the principal algorithm.
Sevo
--
sevo@ip23.net