Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7zqD-007lEr-H9 for pgsql-hackers@arkaria.postgresql.org; Tue, 28 Nov 2023 15:17:37 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1r7zqC-005jkI-5h for pgsql-hackers@arkaria.postgresql.org; Tue, 28 Nov 2023 15:17:36 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7zpQ-005gpH-Te for pgsql-hackers@lists.postgresql.org; Tue, 28 Nov 2023 15:16:48 +0000 Received: from tamriel.snowman.net ([70.109.60.50]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7zpO-007mtn-Eo for pgsql-hackers@postgresql.org; Tue, 28 Nov 2023 15:16:47 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id B4EB75F7BA; Tue, 28 Nov 2023 10:16:41 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=snowman.net; s=dkim; t=1701184601; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wmCQ0JNOTnfFstsez/1CsoLRNZLYSLsGr1i9ZDYtDQQ=; b=vIGwfzW8LOKNDrahlF4WmYP4MH/KpPlE+qCiiXbiu7angKma0WHvH0f45q0GPFzKeiXNe2 LyejX6MsKSfRT3CwwRUVk6kJTMpVKwPr55tQVgAYzhsYAFx4zhxGJBXwIENpGRImIDwrzg o3JS7S/clkZuTp5g7FTv5eOXe/J8JtM= Date: Tue, 28 Nov 2023 10:16:41 -0500 From: Stephen Frost To: Robert Haas Cc: Bruce Momjian , Michael Paquier , PostgreSQL mailing lists Subject: Re: [HACKERS] Changing references of password encryption to hashing Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jK/RENHqnKjsc/MJ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.1.4 (2021-12-11) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --jK/RENHqnKjsc/MJ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Robert Haas (robertmhaas@gmail.com) wrote: > On Tue, Nov 28, 2023 at 9:55=E2=80=AFAM Stephen Frost wrote: > > I do think we should use the correct terminology in our documentation > > and would support your working on improving things in this area. >=20 > +1. >=20 > > I do wonder if perhaps we would be better off by having someone spend > > time on removing terribly insecure authentication methods like md5 and > > ldap though ... >=20 > Wait, what's insecure about LDAP? We pass a completely cleartext password to the server from the client. Yes, we might encrypt it on the way with TLS, but even SSH realized how terrible that is long, long ago and strongly discourages it these days. The problem with ldap as an auth method is that a single compromised PG server in an AD/ldap environment can collect up those username+password credentials and gain access to those users *domain* level access. The CFO logging into a PG server with LDAP auth is giving up their complete access credentials to the entire AD domain. That's terrible. > I think we should eventually remove MD5, but I think there's no rush. I disagree- it's a known pass-the-hash vulnerability and frankly every release we do with it still existing is deserving of an immediate CVE (I've been asked off-list why we don't do this, in fact). > People who care about security will have already switched, and people > who don't care about security are not required to start caring. I wish it were this simple. It's just not though. > Eventually the maintenance burden will become large enough that it > makes sense to phase it out for that reason, but I haven't seen any > evidence that we're anywhere close to that point. This seems to invite the idea that what people who care about this need to do is make it painful for us to continue to keep it around, which I really don't think is best for anyone. We know it's bad, we know it is broken, we need to remove it, not pretend like it's not broken or not bad. Thanks, Stephen --jK/RENHqnKjsc/MJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEwf6gbxKhD863zrx/7WyKOINHZFUFAmVmBFkACgkQ7WyKOINH ZFW/2BAAu/aD8WlQ1UUIXm7U2sTEStHqkExkK3YFFakNzyaVEJWzoqWM3E/x27j1 l4xz6D8p3srDupkJ/kP/A48CJdN2UDS1VDszliquFTIHlnvCF7wcdNSvltmqI0sE HhMstOMAytP3sqAqv7seWzLQ9JGejODqEd8ls8g8QQ3qS0G4oHoyOQ29m+LGNzvE 2D+EZGGpdtf2/dPAKlJtGcKinc1V/kLo92uoCoIp87vWetNyqoUy5cmchLYl64+y 7avbhPuLD6xscxamNDCbneVjbR/ROGnpKuB84G7jfS48XrpFbsJPJhOpQFyyBYon 61SCXxE6F5LTmbMLj40DdwiEeuBefC6R5lhCepDzBBopH/0ojZbXtXReNiwlH0xQ iGeKRnq2sEFREuEv+IPF05Xr0f65awfbf/u9IQ+vIsc30fBawkeP8/Pm/UNthWqk 7QGmapFkiJYhx/9wi50jH4AxZwh76jQMJfAApS0zJeAsUzE6d+t6e4ocLvH5KMOT sw/hhyg4uWohphSPKRk6TaT8Vwec7Uww269Yt/6tWlnLZlrwyXR8Bhr9NR811wFu duZVaaqWmKKE9MGOmovDTnH7R6PXiBzUu05vyDv5btyZFZknBwhuRnlXRwjedRSX 27wDHl2psrjuuSyS/3gorORmnOcjTqjjNOvnskIpphhUVUGyLBU= =yogH -----END PGP SIGNATURE----- --jK/RENHqnKjsc/MJ--