From: Dave Page on
On Wed, Oct 14, 2009 at 10:51 PM, Kevin Grittner
<Kevin.Grittner(a)wicourts.gov> wrote:
> Dave Page <dpage(a)pgadmin.org> wrote:
>
>> No. Any checks at the client are worthless, as they can be bypassed
>> by 10 minutes worth of simple coding in any of a dozen or more
>> languages.
>
> Well, sure, but we're talking about a client going out of their way to
> wrestle the point of the gun toward their own foot, aren't we?  If
> we're worried about the user compromising their own password, we have
> bigger problems, like that slip of paper in their desk drawer with the
> password written on it.  I mean, I know some of these checklists can
> be pretty brain-dead (I've been on both sides of the RFP process many
> times), but it would seem over the top to say that client-side
> password strength checks aren't OK for the reason you give.

See my previous comment about dates. Check-box items aside, I have
absolutely no desire to try to give the illusion of a security
feature, when in reality any user could easily bypass it.


--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Bruce Momjian on
Tom Lane wrote:
> "Kevin Grittner" <Kevin.Grittner(a)wicourts.gov> writes:
> > And, perhaps slightly off topic: if the login password is sent over a
> > non-encrypted stream, md5sum or not, can't someone use it to log in if
> > they're generating their own stream to connect?
>
> Not if they only capture a login exchange --- the password is doubly
> encrypted during that. If they see the md5'd password in a CREATE USER
> command, then yeah, they could pass a subsequent md5 challenge, using
> suitably modified client software that doesn't try to re-encrypt the
> given password.
>
> But the main point is to hide the cleartext password, in any case.

What if we added a GUC that only allowed password changes via an SSL
connection. You could say that is a security enhancement, and
administrators could set up their systems to use 'password'
authentication for SSL and check the password strength on the server
because they come in clear-text.

--
Bruce Momjian <bruce(a)momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Peter Eisentraut on
On Wed, 2009-10-14 at 12:59 -0400, Tom Lane wrote:
> If psql or pgAdmin takes a password and
> then sends it in the clear without telling me, that's a breach of
> trust
> with potentially serious consequences. I might not trust the DBA, for
> example, or I might be less confident of the network infrastructure
> than he is.

Well, you would lose anyway if the DBA switches the pg_hba.conf setting
from md5 to password without telling you. There is usually no
straightforward way in client applications to guard against that.
Something to think about.


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Mark Mielke on
On 10/14/2009 05:33 PM, Dave Page wrote:
> On Wed, Oct 14, 2009 at 9:50 PM, Kevin Grittner
> <Kevin.Grittner(a)wicourts.gov> wrote:
>
>> Can they check the box if the provided clients include password
>> strength checking? I'm just wondering if we're going at this the hard
>> way, if that really is the main goal.
>>
> No. Any checks at the client are worthless, as they can be bypassed by
> 10 minutes worth of simple coding in any of a dozen or more languages.
>

Why care? If the client is purposefully disabling passwords checks to
use a "weak" password - this is an entirely different problem from
somebody trying a weak password and being allowed. Circumvention of
process is always a risk, and should be dealt with as a human resources
problem. Why not stop the admin from disabling the security check when
they create their pgadmin password too? We can't trust anybody - right?

PAM does security checking client-side I think? I'm sure others do too?

I'm not saying server checks are worthless - but I think you are
exaggerating to say that client checks are worthless. Sending the
password in cleartext via SQL seems bad. Sending it encoded seems only
marginally better. Sending it in MD5 is good but means that password
strength needs to be done by the client. You are saying that it's worth
the loss of security in one area, to improve security in another.
Providing client checks in the "official" clients is probably sufficient
for your checkbox that you think is so important. Unless you think it is
impossible to circumvent process in any of these "other" databases that
do such a better job?

Personally, I don't think PostgreSQL is the best place to manage
passwords at this level anyways, beyond the basic usage. PostgreSQL
shouldn't need to know the password, and the password should still be
required to as strong as the organization requires it. Lots of other
solutions here - PAM, LDAP, Kerberos, ... How much of these solutions
should PostgreSQL re-implement?

Cheers,
mark

--
Mark Mielke<mark(a)mielke.cc>


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Peter Eisentraut <peter_e(a)gmx.net> writes:
> Well, you would lose anyway if the DBA switches the pg_hba.conf setting
> from md5 to password without telling you.

True :-(. Anybody for a zero-knowledge protocol?

(Realistically, non-password-based auth methods are the only real
solution here, I fear. We should probably be doing more to encourage
people to use SSL-cert-based authentication in low-trust situations.)

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers