Re: Encrypting pg_shadow passwords

On Fri, 15 Jun 2001, Bruce Momjian wrote:

> > > Migrating old sites to encrypted pg_shadow passwords should be easy if a
> > > trigger on pg_shadow will look for unencrypted INSERTs and encrypt them.
> >
> > If encrypting pg_shadow will break the old-style crypt method, then I
> > think forcing a conversion via a trigger is unacceptable. It will have
> > to be a DBA choice (at configure time, or possibly initdb?) whether to
> > use encryption or not in pg_shadow; accordingly, either crypt or "new
> > crypt" auth method will be supported by the server, not both. But
> > client libraries could be built to support both auth methods.
>
> I hate to add initdb options because it may be confusing. I wonder if
> we should have a script that encrypts the pg_shadow entries that can be
> run when the administrator knows that there are no old clients left
> around. That way it can be run _after_ initdb.

Which clients actually read pg_shadow? I always thought that only the
postmaster read it.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================