open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: Update mentions of MD5 in the documentation

Browse Source 
Reported-by: Shay Rojansky <roji@roji.org>
pull/31/merge
Peter Eisentraut 8 years ago
parent cf1cba3110
commit ad14919ac9
1 changed files with 9 additions and 25 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      doc/src/sgml/runtime.sgml

34
doc/src/sgml/runtime.sgml
Unescape View File

@ -2023,16 +2023,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
<variablelist>
<varlistentry>
<term>Password Storage Encryption</term>
<term>Password Encryption</term>
<listitem>
<para>
By default, database user passwords are stored as MD5 hashes, so
the administrator cannot determine the actual password assigned
to the user. If MD5 encryption is used for client authentication,
the unencrypted password is never even temporarily present on the
server because the client MD5-encrypts it before being sent
across the network.
Database user passwords are stored as hashes (determined by the setting
<xref linkend="guc-password-encryption"/>), so the administrator cannot
determine the actual password assigned to the user. If SCRAM or MD5
encryption is used for client authentication, the unencrypted password is
never even temporarily present on the server because the client encrypts
it before being sent across the network. SCRAM is preferred, because it
is an Internet standard and is more secure than the PostgreSQL-specific
MD5 authentication protocol.
</para>
</listitem>
</varlistentry>
@ -2086,24 +2088,6 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
</listitem>
</varlistentry>
<varlistentry>
<term>Encrypting Passwords Across A Network</term>
<listitem>
<para>
The <literal>MD5</literal> authentication method double-encrypts the
password on the client before sending it to the server. It first
MD5-encrypts it based on the user name, and then encrypts it
based on a random salt sent by the server when the database
connection was made. It is this double-encrypted value that is
sent over the network to the server. Double-encryption not only
prevents the password from being discovered, it also prevents
another connection from using the same encrypted password to
connect to the database server at a later time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Encrypting Data Across A Network</term>

Write Preview
Loading…
Cancel
Save