From: Dave Page on
On Wed, Oct 14, 2009 at 4:30 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> Dave Page <dpage(a)pgadmin.org> writes:
>> On Wed, Oct 14, 2009 at 4:11 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>>> If you're really intent on making that happen, you can have your
>>> password checker plugin reject crypted passwords; we don't need
>>> such a questionable rule in core.
>
>> Client software would need to have a standard way to know when to use
>> ENCRYPTED PASSWORD or not.
>
> Oh, so you want us to propagate extra support for this blatant security
> reduction all over the system too?  No thank you.

You've twice asserted it's a reduction without providing any arguments
to back that up. I argue that you *possibly* open a very hard to
exploit hole, which is exploitable only by sysadmins/DBAs, in return
for which you close a very large hole that allows users to reuse
passwords or use common or easy to guess words.

If I am incorrect or have missed an important point, please explain why or what.

> This whole line of discussion just proves the point that was made
> originally: it would be a lot better to do whatever checking you want
> done on the client side, rather than risk transmitting unencrypted
> passwords.  If you are going to imagine that client-side software knows
> about such a GUC, you might as well imagine that they have cracklib
> built in.

Surely you can see that it is *absolutely pointless* to put an
password complexity checking in the client? All a user would need to
do is grab a copy of psql to bypass it. If they can't do that, there's
probably a scripting language or 12 that would make it similarly easy.


--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Wed, Oct 14, 2009 at 11:44 AM, Dave Page <dpage(a)pgadmin.org> wrote:
> On Wed, Oct 14, 2009 at 4:30 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>> Dave Page <dpage(a)pgadmin.org> writes:
>>> On Wed, Oct 14, 2009 at 4:11 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
>>>> If you're really intent on making that happen, you can have your
>>>> password checker plugin reject crypted passwords; we don't need
>>>> such a questionable rule in core.
>>
>>> Client software would need to have a standard way to know when to use
>>> ENCRYPTED PASSWORD or not.
>>
>> Oh, so you want us to propagate extra support for this blatant security
>> reduction all over the system too?  No thank you.
>
> You've twice asserted it's a reduction without providing any arguments
> to back that up. I argue that you *possibly* open a very hard to
> exploit hole, which is exploitable only by sysadmins/DBAs, in return
> for which you close a very large hole that allows users to reuse
> passwords or use common or easy to guess words.
>
> If I am incorrect or have missed an important point, please explain why or what.
>
>> This whole line of discussion just proves the point that was made
>> originally: it would be a lot better to do whatever checking you want
>> done on the client side, rather than risk transmitting unencrypted
>> passwords.  If you are going to imagine that client-side software knows
>> about such a GUC, you might as well imagine that they have cracklib
>> built in.
>
> Surely you can see that it is *absolutely pointless* to put an
> password complexity checking in the client? All a user would need to
> do is grab a copy of psql to bypass it. If they can't do that, there's
> probably a scripting language or 12 that would make it similarly easy.

To all of the above, +1.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Dave Page <dpage(a)pgadmin.org> writes:
> You've twice asserted it's a reduction without providing any arguments
> to back that up.

You quoted two good arguments why it's insecure in your original
message, neither of which your proposed GUC does anything to protect
against; and you also admitted that there might be other leakage paths
we haven't thought of. That seems to me to be more than sufficient
reason to not encourage people to go back to passing unencrypted
passwords around.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Dave Page on
On Wed, Oct 14, 2009 at 5:08 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> Dave Page <dpage(a)pgadmin.org> writes:
>> You've twice asserted it's a reduction without providing any arguments
>> to back that up.
>
> You quoted two good arguments why it's insecure in your original
> message, neither of which your proposed GUC does anything to protect
> against;

I see one, and I proposed masking passwords in any relevant queries
before they were written to the stats or logs to mitigate that.

> and you also admitted that there might be other leakage paths
> we haven't thought of.  That seems to me to be more than sufficient
> reason to not encourage people to go back to passing unencrypted
> passwords around.

Yes. Which is why I asked your opinion as there's a far greater chance
you would know of any such paths than I, *and* whether they represent
a greater risk than the complete lack of control over the
effectiveness of users passwords that we currently have.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Dave Page <dpage(a)pgadmin.org> writes:
> On Wed, Oct 14, 2009 at 5:08 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> I see one, and I proposed masking passwords in any relevant queries
> before they were written to the stats or logs to mitigate that.

Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to
throw a syntax error before you realize there's anything there that
might need to be protected).

And you ignored the question of insecure transmission pathways, anyway.
By the time the backend has figured out that it's got a CREATE USER
.... PASSWORD command, it's already way too late if the client sent it
over a non-SSL connection.

Marko has pointed out repeatedly that a plugin can catch the worst
cases of insecure passwords even when given a pre-md5'd password.
So you can use a plugin that does it that way, or if you want you
can use a plugin that throws error on a pre-md5'd password. I do
not see a reason for us to add a boatload of questionable logic
that favors the latter approach.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers