Re: [Gnumed-devel] good news regarding PostgreSQL

[Karsten Hilbert]

On Sat, Feb 04, 2006 at 09:24:36AM +0800, Syan Tan wrote:

> thanks, will take a look. Don't quite understand about the pg_hba.conf,
Well, the main point is that in order to add a GNUmed user
to the database one does NOT have to fiddle with pg_hba.conf
ever again. Have root or postgres do it once and be done
with it. From then on one only needs to add users to the
database itself in the appropriate way. That appropriate way
is encapsulated by gm_create_user().

> but you're saying it's per group rather than per database definition of local
> and host type of database access,
No, it is still per database. Or rather per "group of
databases" namely those for which a PG group exists with the
same name as the database - of which the user then needs to
be a member. Which is taken care of by gm_create_user().

> which is sending of md5 hashes of passwords
yes

> (this isn't challenge-authentication, is it ?;
no, not the way I read the docs

> can some one spoof the md5 password packets ?)
It's hard because the client does not simply send the
password md5()ed but must md5() the password AND a salt
value that was sent to it from the server for this very
connection. That way snooped MD5 values cannot simply be
reused. They could be reused only when the salt is the same
again. The salt is 4 characters, IOW 32 bit. So salt reuse
should in theory only be possible once within 2^32 connections.

>  I've been trying to get kerberos working lately ( mainly because my gsasl is
> saying something
> about credentials when I try to get ldap to work with default configuration).
> Postgres does kerberos too , doesn't it?
According to the docs, yes.

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346