Updated TODO list
Attached is the current TODO list. It has all the current things I
have.
This is also updated in the cvs tree every time I make a change.
---------------------------------------------------------------------------
TODO list for PostgreSQL
========================
Last updated: Wed Jul 7 23:33:17 EDT 1999
Current maintainer: Bruce Momjian (maillist@candle.pha.pa.us)
The most recent version of this document can be viewed at
the PostgreSQL web site, http://www.postgreSQL.org.
A dash(-) marks changes that will appear in the next release.
RELIABILITY
-----------
RESOURCES
* Elog() does not free all its memory(Jan)
* spinlock stuck problem when elog(FATAL) and elog(ERROR) inside bufmgr
* Recover or force failure when disk space is exhausted
PARSER
* Disallow inherited columns with the same name as new columns
* INSERT INTO ... SELECT with AS columns matching result columns problem
* SELECT pg_class FROM pg_class generates strange error
* Alter TABLE ADD COLUMN does not honor DEFAULT, add CONSTRAINT
* Do not allow bpchar column creation without length
* Select a[1] FROM test fails, it needs test.a[1]
* Array index references without table name cause problems
* Update table SET table.value = 3 fails
* Creating index of TIMESTAMP & RELTIME fails, rename to DATETIME(Thomas)
* SELECT foo UNION SELECT foo is incorrectly simplified to SELECT foo
* INSERT ... SELECT ... GROUP BY groups by target columns not source columns
* CREATE TABLE test (a char(5) DEFAULT text '', b int4) fails on INSERT
* UNION with LIMIT fails
VIEWS
* Views containing aggregates sometimes fail(Jan)
* Views with spaces in view name fail when referenced
MISC
* User who can create databases can modify pg_database table
* Plpgsql does not handle quoted mixed-case identifiers
ENHANCEMENTS
------------
URGENT
* Add referential integrity
* Add OUTER joins, left and right(Thomas)
* Allow long tuples by chaining or auto-storing outside db (chaining,large objs)
* Eliminate limits on query length
* Fix memory leak for expressions?, aggregates?
EXOTIC FEATURES
* Add sql3 recursive unions
* Add the concept of dataspaces
* Add replication of distributed databases
* Allow queries across multiple databases
ADMIN
* Better interface for adding to pg_group
* More access control over who can create tables and access the database
* Add syslog functionality
* Allow elog() to return error codes, not just messages
* Allow international error message support and add error codes
* Generate postmaster pid file and remove flock/fcntl lock code
* Add ability to specifiy location of lock/socket files
TYPES
* Add BIT, BIT VARYING
* Nchar (as distinguished from ordinary varchar),
* Domain capability
* Add STDDEV/VARIANCE() function for standard deviation computation/variance
* Allow compression of large fields or a compressed field type
* Large objects
o Fix large object mapping scheme, own typeid or reltype(Peter)
o Allow large text type to use large objects(Peter)
o Not to stuff everything as files in a single directory, hash dirs
o Allow large object vacuuming
* Allow pg_descriptions when creating types, tables, columns, and functions
* Add IPv6 capability to INET/CIDR types
* Make a separate SERIAL type?
* Store binary-compatible type information in the system
* Allow user to define char1 column
* Add support for & operator
* Allow LOCALE on a per-column basis, default to ASCII
* Allow array on int8[]
* Remove Money type, add money formatting for decimal type
* Declare typein/out functions in pg_proc with a special "C string" data type
* Add non-large-object binary field
* Add index on NUMERIC type
VIEWS
* Allow DISTINCT on views
* Allow views of aggregate columns
* Allow views with subselects
INDEXES
* Allow CREATE INDEX zman_index ON test (date_trunc( 'day', zman ) datetime_ops)
fails index can't store constant parameters
* Allow creation of functional indexes to use default types
* Permissions on indexes - prevent them?
* Allow SQL function indexes
* Add FILLFACTOR to index creation
* Allow indexing of LIKE with localle character sets
* Allow indexing of more than eight columns
COMMANDS
* ALTER TABLE ADD COLUMN to inherited table put column in wrong place
* Add ALTER TABLE DROP/ALTER COLUMN feature
* Allow CLUSTER on all tables at once, and improve CLUSTER
* Generate error on CREATE OPERATOR of ~~, ~ and and ~*
* Add SIMILAR TO to allow character classes, 'pg_[a-c]%'
* Auto-destroy sequence on DROP of table with SERIAL(Ryan)
* Allow LOCK TABLE tab1, tab2, tab3 so all tables locked in unison
* Allow INSERT/UPDATE of system-generated oid value for a row
* Allow ESCAPE '\' at the end of LIKE for ANSI compliance
* Rewrite the LIKE handling by rewriting the user string with the
supplied ESCAPE
* Move LIKE index optimization handling to the optimizer
CLIENTS
* Make NULL's come out at the beginning or end depending on the
ORDER BY direction
* Allow flag to control COPY input/output of NULLs
* Update reltuples from COPY command
* Allow psql \copy to allow delimiters
* Add a function to return the last inserted oid, for use in psql scripts
* Allow psql to print nulls as distinct from ""(?)
* PQrequestCancel() be able to terminate backend waiting for lock
MISC
* Increase identifier length(NAMEDATALEN) if small performance hit
* Allow row re-use without vacuum(Vadim)
* Create a background process for each database that runs while
database is idle, finding superceeded rows, gathering stats and vacuuming
* Add UNIQUE capability to non-btree indexes
* Certain indexes will not shrink, i.e. oid indexes with many inserts
* Restore unused oid's on backend exit if no one else has gotten oids
* Have UPDATE/DELETE clean out indexes
* Allow WHERE restriction on ctid
* Allow cursors to be DECLAREd/OPENed/CLOSEed outside transactions
* Allow PQrequestCancel() to terminate when in waiting-for-lock state
* Transaction log, so re-do log can be on a separate disk by
with after-row images
* Populate backend status area and write program to dump status data
* Make oid use unsigned int more reliably, pg_atoi()
* Allow subqueries in target list
* Put sort files, large objects in their on directory
* Do autocommit so always in a transaction block
* Show location of syntax error in query
* Redesign the function call interface to handle NULLs better(Jan)
* Document/trigger/rule so changes to pg_shadow create pg_pwd
* Missing optimizer selectivities for date, r-tree, etc.
* Overhaul mdmgr/smgr to fix double unlinking and double opens, cleanup
* Overhaul bufmgr/lockmgr/transaction manager
* Tables that start with xinv confused to be large objects
* Add PL/Perl(Mark Hollomon)
PERFORMANCE
-----------
FSYNC
* Allow transaction commits with rollback with no-fsync performance
* Prevent fsync in SELECT-only queries
INDEXES
* Use indexes in ORDER BY for restrictive data sets, min(), max()
* Pull requested data directly from indexes, bypassing heap data
* Use index to restrict rows returned by multi-key index when used with
non-consecutive keys or OR clauses, so fewer heap accesses
* Convert function(constant) into a constant for index use
* Allow LIMIT ability on single-table queries that have no ORDER BY to use
a matching index
* Improve LIMIT processing by using index to limit rows processed
* Have optimizer take LIMIT into account when considering index scans
* Make index creation use psort code, because it is now faster(Vadim)
* Allow creation of sort temp tables > 1 Gig
* Create more system table indexes for faster cache lookups
* fix indexscan() so it does leak memory by not requiring caller to free
* Improve _bt_binsrch() to handle equal keys better, remove _bt_firsteq()(Tom)
CACHE
* Cache most recent query plan(s?)
* Shared catalog cache, reduce lseek()'s by caching table size in shared area
* elog() flushes cache, try invalidating just entries from current xact,
perhaps using invalidation cache
MISC
* Allow compression of log and meta data
* Update pg_statistic table to remove operator column
* Allow char() not to use variable-sized header to reduce disk size
* Do async I/O to do better read-ahead of data
* Fix memory exhaustion when using many OR's
* Get faster regex() code from Henry Spencer <henry@zoo.utoronto.ca>
when it is available
* Use mmap() rather than SYSV shared memory(?)
* Process const = const parts of OR clause in separate pass
* Make oid use oidin/oidout not int4in/int4out in pg_type.h
* Improve Subplan list handling
* Allow Subplans to use efficient joins(hash, merge) with upper variable
* use fmgr_info()/fmgr_faddr() instead of fmgr() calls in high-traffic
places, like GROUP BY, UNIQUE, index processing, etc.
* improve dynamic memory allocation by introducing tuple-context memory
allocation
* fix memory leak in cache code when non-existant table is referenced
* In WHERE x=3 AND x=y, add y=3
* pass atttypmod through parser in more cases(Bruce)
* remove duplicate type in/out functions for disk and net
SOURCE CODE
-----------
* Add use of 'const' for varibles in source tree
* Fix C optimizer problem where fmgr_ptr calls return different types
---------------------------------------------------------------------------
Developers who have claimed items are:
--------------------------------------
* Billy is Billy G. Allie <Bill.Allie@mug.org>
* Brook is Brook Milligan <brook@trillium.NMSU.Edu>
* Bruce is Bruce Momjian<maillist@candle.pha.pa.us>
* Bryan is Bryan Henderson<bryanh@giraffe.netgate.net>
* D'Arcy is D'Arcy J.M. Cain <darcy@druid.net>
* David is David Hartwig <daveh@insightdist.com>
* Edmund is Edmund Mergl <E.Mergl@bawue.de>
* Goran is Goran Thyni <goran@kyla.kiruna.se>
* Hiroshi is Hiroshi Inoue<Inoue@tpf.co.jp>
* Jan is Jan Wieck <wieck@sapserv.debis.de>
* Marc is Marc Fournier <scrappy@hub.org>
* Massimo Dal Zotto <dz@cs.unitn.it>
* Michael is Michael Meskes <meskes@postgresql.org>
* Oleg is Oleg Bartunov <oleg@sai.msu.su>
* Peter is Peter T Mount <peter@retep.org.uk>
* Ryan is Ryan Bradetich <rbrad@hpb50023.boi.hp.com>
* Stefan Simkovics <ssimkovi@rainbow.studorg.tuwien.ac.at>
* Tatsuo is Tatsuo Ishii <t-ishii@sra.co.jp>
* Tom is Tom Lane <tgl@sss.pgh.pa.us>
* Thomas is Thomas Lockhart <lockhart@alumni.caltech.edu>
* TomH is Tom I Helbekkmo <tih@Hamartun.Priv.NO>
* Vadim is "Vadim B. Mikheev" <vadim@krs.ru>
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
ADMIN
* Better interface for adding to pg_group
* More access control over who can create tables and access the database
* Add syslog functionality
* Allow elog() to return error codes, not just messages
* Allow international error message support and add error codes
* Generate postmaster pid file and remove flock/fcntl lock code
* Add ability to specifiy location of lock/socket files
How about:
* Not storing passwords in plain text
ADMIN
* Allow international error message support and add error codes
The JDBC driver already has the international error message support. All
it needs are some translations of the errors.properties file.
It would be easy to add error codes to it.
TYPES
* Large objects
o Fix large object mapping scheme, own typeid or reltype(Peter)
o Allow large text type to use large objects(Peter)
I hope to these two done for 6.6
o Not to stuff everything as files in a single directory, hash
dirs
o Allow large object vacuuming
Do you mean vacuuming within a large objects table, or removing orphaned
ones?
A solution for orphaning is in contrib, although it still needs some
work.
On the JDBC front, I'm planning for 6.6:
* Array support
* Large Object Stream support
* More JDBC2 API implemented
But the big one will be to get the driver to use the current protocol.
Up until now, it's been using the 6.3 backend protocol. Now that the
current driver supports JDBC2, I want to get it up to date.
This will mean that the 6.6 driver will not be backward compatible with
earlier backends (I can't remember which one started using the current
protocol). The 6.5 driver does support 6.3 and 6.4.x backends.
Peter
--
Peter Mount
Enterprise Support
Maidstone Borough Council
Any views stated are my own, and not those of Maidstone Borough Council.
Import Notes
Resolved by subject fallback
[Charset iso-8859-1 unsupported, filtering to ASCII...]
ADMIN
* Better interface for adding to pg_group
* More access control over who can create tables and access the database
* Add syslog functionality
* Allow elog() to return error codes, not just messages
* Allow international error message support and add error codes
* Generate postmaster pid file and remove flock/fcntl lock code
* Add ability to specifiy location of lock/socket filesHow about:
* Not storing passwords in plain text
But we don't, do we? I thougth they were hashed.
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026[Charset iso-8859-1 unsupported, filtering to ASCII...]
ADMIN
* Better interface for adding to pg_group
* More access control over who can create tables and access the database
* Add syslog functionality
* Allow elog() to return error codes, not just messages
* Allow international error message support and add error codes
* Generate postmaster pid file and remove flock/fcntl lock code
* Add ability to specifiy location of lock/socket filesHow about:
* Not storing passwords in plain text
I have just added this item:
* Make postgres user have a password by default
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026ADMIN
* Allow international error message support and add error codes
The JDBC driver already has the international error message support. All
it needs are some translations of the errors.properties file.It would be easy to add error codes to it.
Good. I think Vadim wasn't codes from the backend for scripts and
stuff.
TYPES
* Large objects
o Fix large object mapping scheme, own typeid or reltype(Peter)
o Allow large text type to use large objects(Peter)I hope to these two done for 6.6
Good. I can help too.
o Not to stuff everything as files in a single directory, hash
dirs
o Allow large object vacuuming
Do you mean vacuuming within a large objects table, or removing orphaned
ones?
Tom Lane says you can get multiple versions of a large object in the
file, and there is no way to remove them.
A solution for orphaning is in contrib, although it still needs some
work.On the JDBC front, I'm planning for 6.6:
* Array support
* Large Object Stream support
* More JDBC2 API implementedBut the big one will be to get the driver to use the current protocol.
Up until now, it's been using the 6.3 backend protocol. Now that the
current driver supports JDBC2, I want to get it up to date.
Cool.
This will mean that the 6.6 driver will not be backward compatible with
earlier backends (I can't remember which one started using the current
protocol). The 6.5 driver does support 6.3 and 6.4.x backends.
That is not a problem. We have given them enough releases that will
work with the new driver.
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bruce Momjian wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
ADMIN
* Better interface for adding to pg_group
* More access control over who can create tables and access the database
* Add syslog functionality
* Allow elog() to return error codes, not just messages
* Allow international error message support and add error codes
* Generate postmaster pid file and remove flock/fcntl lock code
* Add ability to specifiy location of lock/socket filesHow about:
* Not storing passwords in plain textBut we don't, do we? I thougth they were hashed.
do
select * from pg_shadow;
I think that it was agreed that it is better when they can't bw snatched
from
network than to have them hashed in db.
Using currently known technologies we must either either know the
original password
and use challenge-response on net, or else use plaintext (or equivalent)
on the wire.
-------------------
Hannu
From: Bruce Momjian <maillist@candle.pha.pa.us>
ADMIN
How about:
* Not storing passwords in plain textBut we don't, do we? I thougth they were hashed.
maybe I miss something but it does not look so to me:
[PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1]
test1=> select * from pg_shadow;
usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
--------+--------+-----------+--------+--------+---------+------+-----------
-----------------
postgres| 2000|t |t |t |t | |Sat Jan 31
09:00:00 2037 MSK
afmmgr | 2001|f |t |f |t |mgrpwd|
afmusr | 2002|f |t |f |t |usrpwd|
(3 rows)
From: Hannu Krosing <hannu@trust.ee>
How about:
* Not storing passwords in plain textBut we don't, do we? I thougth they were hashed.
do
select * from pg_shadow;I think that it was agreed that it is better when they can't bw snatched
from
network than to have them hashed in db.
Using currently known technologies we must either either know the
original password
and use challenge-response on net, or else use plaintext (or equivalent)
on the wire.
I would be happier even with storing passwords at the server as a reversible
hash. For example, xor all user passwords with some value (for example
"PostgreSQL") and store base64(xor) strings instead of plain text.
Challenge-response authentication based on MD5 or SHA hashing would be
better, of course. A scheme like this would be reasonably secure:
1. Client initiates connection.
2. Server generates a long (16 byte) random value and passes it to the
client.
3. Client generates a one way hash of the user ID, SHA(password), and the
random number:
hash := SHA(uid [+] SHA(password) [+] randomval)
and sends openly uid and the hash back to the server
4. Server reconstructs the hash using stored SHA(password) and compares it
with the received hash.
Even more secure: don't store SHA(password) at the server but store
SHA(password) XOR <mastervalue>.
Gene Sokolov.
It would be nice if the password scheme you finally settle on can be
optionally replaced (compile-time) by the password hash available native
on the OS. In the case of OpenBSD, the Blowfish-based replacement for the
DES or MD5 based crypt(3) is better suited to resisting dictionary and
other offline attacks by fast processors.
This suggestion is useful in case the shadow password file is compromised.
It is independent of any challenge-response protocol you apply upstream.
Ciao
--Louis <louis@bertrandtech.on.ca>
Louis Bertrand http://www.bertrandtech.on.ca
Bertrand Technical Services, Bowmanville, ON, Canada
OpenBSD: Because security matters. http://www.openbsd.org/
On Fri, 9 Jul 1999, Gene Sokolov wrote:
Show quoted text
I would be happier even with storing passwords at the server as a reversible
hash. For example, xor all user passwords with some value (for example
"PostgreSQL") and store base64(xor) strings instead of plain text.Challenge-response authentication based on MD5 or SHA hashing would be
better, of course. A scheme like this would be reasonably secure:1. Client initiates connection.
2. Server generates a long (16 byte) random value and passes it to the
client.
3. Client generates a one way hash of the user ID, SHA(password), and the
random number:
hash := SHA(uid [+] SHA(password) [+] randomval)
and sends openly uid and the hash back to the server
4. Server reconstructs the hash using stored SHA(password) and compares it
with the received hash.Even more secure: don't store SHA(password) at the server but store
SHA(password) XOR <mastervalue>.Gene Sokolov.
Gene Sokolov wrote:
From: Hannu Krosing <hannu@trust.ee>
I think that it was agreed that it is better when they can't bw snatched
from
network than to have them hashed in db.
Using currently known technologies we must either either know the
original password
and use challenge-response on net, or else use plaintext (or equivalent)
on the wire.
This seems correct to me.
[snip]
Challenge-response authentication based on MD5 or SHA hashing would be
better, of course. A scheme like this would be reasonably secure:1. Client initiates connection.
2. Server generates a long (16 byte) random value and passes it to the
client.
3. Client generates a one way hash of the user ID, SHA(password), and the
random number:
hash := SHA(uid [+] SHA(password) [+] randomval)
and sends openly uid and the hash back to the server
4. Server reconstructs the hash using stored SHA(password) and compares it
with the received hash.
But Hannu's point was that you can guard against network sniffing or you
can guard
against the evil 'select * pg_shadow', but not both.
While you're scheme _does_ secure against packet sniffing, it doesn't do
anything
against the select. So, you might as well just store 'password' and pass
back
hash := SHA(uid [+] password [+] randomval).
But I fully admit that cryptography is not my strong suit.
Even more secure: don't store SHA(password) at the server but store
SHA(password) XOR <mastervalue>.
I don't see how. I certainly know _my_ password. So I can compute
SHA(password). So,
if I can see what the database is storing, figuring out <mastervalue> is
a no brainer.
--
Mark Hollomon
mhh@nortelnetworks.com
ESN 451-9008 (302)454-9008
From: Mark Hollomon <mhh@nortelnetworks.com>
Challenge-response authentication based on MD5 or SHA hashing would be
better, of course. A scheme like this would be reasonably secure:1. Client initiates connection.
2. Server generates a long (16 byte) random value and passes it to the
client.
3. Client generates a one way hash of the user ID, SHA(password), and
the
random number:
hash := SHA(uid [+] SHA(password) [+] randomval)
and sends openly uid and the hash back to the server
4. Server reconstructs the hash using stored SHA(password) and compares
it
with the received hash.
[snip]
While you're scheme _does_ secure against packet sniffing, it doesn't do
anything
against the select. So, you might as well just store 'password' and pass
backhash := SHA(uid [+] password [+] randomval).
But I fully admit that cryptography is not my strong suit.
I cannot fully agree:
1. Select in this case would give you a value, which you have to use from a
*custom* modified client. Any standard client would not be able to use it.
2. Many people use the same or similar passwords for all logins. Just
obfuscating the passwords would be beneficial for them.
3. See below.
Even more secure: don't store SHA(password) at the server but store
SHA(password) XOR <mastervalue>.I don't see how. I certainly know _my_ password. So I can compute
SHA(password). So,
if I can see what the database is storing, figuring out <mastervalue> is
a no brainer.
Ok, make it SHA(pass) XOR SHA(mastervalue [+] uid). This way you can't get a
useful info without knowing the master value.
It would be nice if the password scheme you finally settle on can be
optionally replaced (compile-time) by the password hash available native
on the OS. In the case of OpenBSD, the Blowfish-based replacement for the
DES or MD5 based crypt(3) is better suited to resisting dictionary and
other offline attacks by fast processors.
Once you say "strong encryption", you also say "export controls", "wasenaar"
and "avoid it if you can". It means PgSQL team would have to maintain two
distributions - one for the US and one for the rest of the world. It's not
like it cannot be done. I just see no benefit in using encryption instead of
hashing. There is no need for DES or Blowfish to justify the pain.
Gene Sokolov.
Gene Sokolov wrote:
From: Mark Hollomon <mhh@nortelnetworks.com>
While you're scheme _does_ secure against packet sniffing, it doesn't do
anything
against the select. So, you might as well just store 'password' and pass
backhash := SHA(uid [+] password [+] randomval).
But I fully admit that cryptography is not my strong suit.
I cannot fully agree:
1. Select in this case would give you a value, which you have to use from a
*custom* modified client. Any standard client would not be able to use it.
2. Many people use the same or similar passwords for all logins. Just
obfuscating the passwords would be beneficial for them.
3. See below.
Okay, so only the 'casual cracker' is involved. I don't have a problem
as long
as long as that is stated.
Even more secure: don't store SHA(password) at the server but store
SHA(password) XOR <mastervalue>.I don't see how. I certainly know _my_ password. So I can compute
SHA(password). So,
if I can see what the database is storing, figuring out <mastervalue> is
a no brainer.Ok, make it SHA(pass) XOR SHA(mastervalue [+] uid). This way you can't get a
useful info without knowing the master value.
That is better. But, under the 'casual cracker' senario, I don't think
this is necessary.
Also, the unspoken assumption is that mastervalue is site specific, say
randomly
generated at initdb time. But ouch, that sure makes upgrades dicey. And
we would
have to think carefully about where to store it.
--
Mark Hollomon
mhh@nortelnetworks.com
ESN 451-9008 (302)454-9008
No, I am not suggesting PostgreSQL bundle any strong crypto: simply take
advantage of what's available native on the host OS.
BTW, the US export controls only apply to code written in the US. The
Wassenaar Arrangement specifically excludes free/open software.
Ciao
--Louis <louis@bertrandtech.on.ca>
Louis Bertrand http://www.bertrandtech.on.ca
Bertrand Technical Services, Bowmanville, ON, Canada
Tel: +1.905.623.8925 Fax: +1.905.623.3852
OpenBSD: Secure by default. http://www.openbsd.org/
On Fri, 9 Jul 1999, Gene Sokolov wrote:
Show quoted text
Once you say "strong encryption", you also say "export controls", "wasenaar"
and "avoid it if you can". It means PgSQL team would have to maintain two
distributions - one for the US and one for the rest of the world. It's not
like it cannot be done. I just see no benefit in using encryption instead of
hashing. There is no need for DES or Blowfish to justify the pain.Gene Sokolov.
But we don't, do we? I thougth they were hashed.
do
select * from pg_shadow;I think that it was agreed that it is better when they can't bw snatched
from
network than to have them hashed in db.
Using currently known technologies we must either either know the
original password
and use challenge-response on net, or else use plaintext (or equivalent)
on the wire.
Yes, I remember now, we hash them with random salt before sending them
to the client, and they are only visible to the postgres user.
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026[Charset iso-8859-1 unsupported, filtering to ASCII...]
From: Bruce Momjian <maillist@candle.pha.pa.us>
ADMIN
How about:
* Not storing passwords in plain textBut we don't, do we? I thougth they were hashed.
maybe I miss something but it does not look so to me:
[PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1]
test1=> select * from pg_shadow;
usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
--------+--------+-----------+--------+--------+---------+------+-----------
-----------------
postgres| 2000|t |t |t |t | |Sat Jan 31
09:00:00 2037 MSK
afmmgr | 2001|f |t |f |t |mgrpwd|
afmusr | 2002|f |t |f |t |usrpwd|
(3 rows)
Yes, I remember now. We keep them in clear, because we send random
salt-encrypted versions over the wire. Only Postgresql can read this
table.
--
Bruce Momjian | http://www.op.net/~candle
maillist@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026Why should anyone be able to read cleartext passwords, or even need to?
People have a habit of reusing the same password for logins elsewhere.
Hash the password as it's entered and compare hashes. This way, even if
the password file (PostgreSQL's or the system's) is compromised, the
attacker gains no extra information.
Ciao
--Louis <louis@bertrandtech.on.ca>
Louis Bertrand http://www.bertrandtech.on.ca
Bertrand Technical Services, Bowmanville, ON, Canada
Tel: +1.905.623.8925 Fax: +1.905.623.3852
OpenBSD: Secure by default. http://www.openbsd.org/
On Fri, 9 Jul 1999, Bruce Momjian wrote:
Show quoted text
[Charset iso-8859-1 unsupported, filtering to ASCII...]
From: Bruce Momjian <maillist@candle.pha.pa.us>
ADMIN
How about:
* Not storing passwords in plain textBut we don't, do we? I thougth they were hashed.
maybe I miss something but it does not look so to me:
[PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1]
test1=> select * from pg_shadow;
usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
--------+--------+-----------+--------+--------+---------+------+-----------
-----------------
postgres| 2000|t |t |t |t | |Sat Jan 31
09:00:00 2037 MSK
afmmgr | 2001|f |t |f |t |mgrpwd|
afmusr | 2002|f |t |f |t |usrpwd|
(3 rows)Yes, I remember now. We keep them in clear, because we send random
salt-encrypted versions over the wire. Only Postgresql can read this
table.-- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From: Louis Bertrand <louis@bertrandtech.on.ca>
No, I am not suggesting PostgreSQL bundle any strong crypto: simply take
advantage of what's available native on the host OS.BTW, the US export controls only apply to code written in the US. The
Wassenaar Arrangement specifically excludes free/open software.
Not every OS has strong encryption built-in. And that means PgSQL would have
to maintain a crypto package for the OSes without the strong crypto. Thus
the benefits of using the OS encryption would be less significant.
Gene Sokolov.
I completely agree with Louis. It's not just the hacker: there is no need
for sysadmin to know passwords as well. I believe the security scheme where
sysadmin or anyone has to take action in order *not* to see passwords is
flawed.
I think the following solution would be satisfactory:
Store SHA(password) XOR SHA(mastervalue [+] uid). In case it's difficult to
alter the wire protocol, store password XOR SHA(mastervalue [+] uid). Either
way no one can get useful info without knowing the master value. Even simple
password XOR <mastervalue> would be helpful.
Gene Sokolov.
From: Louis Bertrand <louis@bertrandtech.on.ca>
Show quoted text
Why should anyone be able to read cleartext passwords, or even need to?
People have a habit of reusing the same password for logins elsewhere.
Hash the password as it's entered and compare hashes. This way, even if
the password file (PostgreSQL's or the system's) is compromised, the
attacker gains no extra information.From: Bruce Momjian <maillist@candle.pha.pa.us>
Yes, I remember now. We keep them in clear, because we send random
salt-encrypted versions over the wire. Only Postgresql can read this
table.
