Обсуждение: [DOCS] Password encryption

Поиск
Список
Период
Сортировка

[DOCS] Password encryption

От
mudit0201@gmail.com
Дата:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.1/static/libpq-pgpass.html
Description:

Can we keep encrypted password in .pgpass file or is there any way to
provide encrypted password to connect to postgres or can we pass password to
psql command as an argument?

Re: [DOCS] Password encryption

От
Michael Paquier
Дата:
Hi,

On Thu, Jun 29, 2017 at 9:23 PM,  <mudit0201@gmail.com> wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/9.1/static/libpq-pgpass.html
> Description:
>
> Can we keep encrypted password in .pgpass file or is there any way to
> provide encrypted password to connect to postgres or can we pass password to
> psql command as an argument?

This question would be more adapted to pgsql-general, as this is not a
documentation bug.

The password present in the password file needs to be in plain format.
When using a SSL connection, the handshake happens before the actual
password authentication, so the data related to the password exchanged
would be encrypted, and in the case of MD5 what is actually sent to a
server is already a MD5 hash of it that the server compares with a
salt applied on it.

A user knowing only the MD5 hash, and not the plain password would
still be able to connect, so you really had better use SSL anyway if
connecting with an untrusted network. Postgres 10 comes up with
SCRAM-SHA-256 by the way, which is stronger by design for such things.
--
Michael


Re: Password encryption

От
pinker
Дата:
Michael Paquier wrote
> 
> A user knowing only the MD5 hash, and not the plain password would
> still be able to connect, so you really had better use SSL anyway if
> connecting with an untrusted network. Postgres 10 comes up with
> SCRAM-SHA-256 by the way, which is stronger by design for such things.

Hi, with untrusted network you mean eavesdropping or some other "evil"
technique?
With normal client like psql or pgAdmin is no way to log in having only md5
hash, right?



--
Sent from: http://www.postgresql-archive.org/PostgreSQL-docs-f2165602.html