From: Tom Lane on
Robert Haas <robertmhaas(a)gmail.com> writes:
> But how much value is there in that? This whole thing seems like a
> dead end to me. No matter how long you're willing to wait, putting
> the checking on the client side will let you far more validation for
> the same price.

No doubt, but ...

The value of doing it on the server side is you only have to implement
it once, and you don't have to hope that all your users are using the
most up-to-date clients that will enforce a check. (The more troglodytic
of them might be using a direct ALTER USER PASSWORD command, which will
certainly not result in any client-side check happening.)

Even if we encouraged client-side tool authors to implement password
checking, the lack of consensus about what the checks should be would
pretty much guarantee lack of uniformity about exactly what got checked
in any real installation. Which is not the sort of thing that makes
security auditors feel all warm and fuzzy.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Andrew Dunstan <andrew(a)dunslane.net> writes:
> Why do we need to answer that question? If all we do is provide a hook,
> the cost is very low, and the decision on value is left to whoever is
> deploying some module to use the hook.

Right. As long as it's just a hook, it's not enough work to justify
lots of debate. There is a plausible use-case, and that's enough.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Josh Berkus on
Mark,

> I read Josh's original suggestion to eventually evolve to "if a
> particular user account from a particular IP address uses the wrong
> password more than N times in T minutes, than the IP address is locked
> out for U minutes." This is the *only* way of significantly reducing the
> ability of a client to guess the password using "brute force".

As pointed out by others, that was a false assertion. Most
sophisticated attackers sniff the MD5 password over the network or by
other means, and then brute force match it without trying to connect to
the DB.

--
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Mark Mielke on
On 09/29/2009 12:54 PM, Josh Berkus wrote:
>> I read Josh's original suggestion to eventually evolve to "if a
>> particular user account from a particular IP address uses the wrong
>> password more than N times in T minutes, than the IP address is locked
>> out for U minutes." This is the *only* way of significantly reducing the
>> ability of a client to guess the password using "brute force".
>>
> As pointed out by others, that was a false assertion. Most
> sophisticated attackers sniff the MD5 password over the network or by
> other means, and then brute force match it without trying to connect to
> the DB.
>

I don't know about most. Sniffing requires an inside track. I cannot
sniff your network traffic from my notebook in Ottawa. Somebody so
inclined would have to first break into your network to see the password
you are sending. Then, if they can sniff your traffic, they can do all
sorts of other things. It's a bit of a wash in the grand scheme of things.

In practice, for the last decade, I have seen peaks of tens of thousands
of attempts a day to brute force into my machine from the Internet from
locations all over the world. It is not limited to telnet or SSH either
- they come in on IMAP ports, VNC ports, SMB ports, or anything else
that is widely used and exposed. Brute forcing through remote login is a
well used method of cracking. Still, their ability to guess is limited
by network capacity and network latency. So, it is on the order of
thousands, not millions, and basic password precautions such as "don't
use a word" are still quite effective.

I don't think knowing the MD5 is an attack on its own. It might be a
component in an escalation vector whereby the first get access to one
resource, and then sniff the MD5 or see it in the backend database
storage, to break into another resource. In any case - if they get the
MD5, PostgreSQL is already compromised, and the next attack is more
likely to affect something else - not PostgreSQL itself.

Within our company, the crypt() passwords are available to all employees
via NIS. Technically, this is a problem - but in practice, how much
effort is this worth resolving? If they can get onto our network to get
access to the crypt() password, they probably already have access to
other intellectual property.

Mostly - I'm saying that PostgreSQL using MD5 is a minor issue -
switching to SHA-1 is not going to eliminate the problem, it will just
make things a tiny bit harder for a would be attacker. To actually close
the window, as opposed to push it closed a little tighter, would take a
lot more effort.

Cheers,
mark

--
Mark Mielke<mark(a)mielke.cc>


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: "Albe Laurenz" on
In the discussion following
http://archives.postgresql.org/pgsql-hackers/2009-09/msg01766.php
the consensus was that a hook that allows you to implement
a password checking routine as a module "would not hurt".

So here's the patch.
I don't think there is documentation required;
correct me if I am wrong.

Yours,
Laurenz Albe