Sunday, June 29, 2008

Re: [pgsql-es-ayuda] Postgres y jdbc

Edgar Enriquez escribió:
> La pregrunta es si es posible de enviar md5 en una cadena de conección
> con postgresql-8.2-508.jdbc4?

No entiendo la pregunta. Si el servidor especifica el método md5 en
pg_hba.conf, entonces el envío se hará en md5, independiente de cómo la
pongas en el código fuente. (A diferencia del método password en
pg_hba.conf, que hace que la password se envíe en texto sin cifrar)

Dice la documentación:
http://www.postgresql.org/docs/8.3/static/auth-pg-hba-conf.html
md5

Require the client to supply an MD5-encrypted password for
authentication. See Section 21.2.2 for details.

password

Require the client to supply an unencrypted password for
authentication. Since the password is sent in clear text over the
network, this should not be used on untrusted networks. It also does
not usually work with threaded client applications. See Section
21.2.2 for details.


La sección 21.2.2 es
http://www.postgresql.org/docs/8.3/static/auth-methods.html#AUTH-PASSWORD
que dice lo siguiente:

The password-based authentication methods are md5, crypt, and
password. These methods operate similarly except for the way
that the password is sent across the connection: respectively,
MD5-hashed, crypt-encrypted, and clear-text. A limitation is
that the crypt method does not work with passwords that have
been encrypted in pg_authid.

If you are at all concerned about password "sniffing" attacks
then md5 is preferred, with crypt to be used only if you must
support pre-7.2 clients. Plain password should be avoided
especially for connections over the open Internet (...)

--
Alvaro Herrera

http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
--
TIP 8: explain analyze es tu amigo

No comments: