From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <rhdb-return-175-listarch-rhdb=sources.redhat.com@sources.redhat.com>
Received: (qmail 3714 invoked by alias); 3 Oct 2003 00:41:53 -0000
Mailing-List: contact rhdb-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:rhdb-subscribe@sources.redhat.com>
List-Post: <mailto:rhdb@sources.redhat.com>
List-Help: <mailto:rhdb-help@sources.redhat.com>, <http://sources.redhat.com/lists.html#faqs>
Sender: rhdb-owner@sources.redhat.com
Received: (qmail 3706 invoked from network); 3 Oct 2003 00:41:52 -0000
Received: from unknown (HELO touchme.toronto.redhat.com) (207.219.125.105)
  by sources.redhat.com with SMTP; 3 Oct 2003 00:41:52 -0000
Received: from redhat.com (sebastian-int.corp.redhat.com [172.16.52.221])
	by touchme.toronto.redhat.com (Postfix) with ESMTP
	id 175DB80019F; Thu,  2 Oct 2003 20:41:51 -0400 (EDT)
Message-ID: <3F7CC5A4.6040103@redhat.com>
Date: Fri, 03 Oct 2003 00:41:00 -0000
From: Fernando Nasser <fnasser@redhat.com>
Organization: Red Hat Canada
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Fernando Nasser <fnasser@redhat.com>
Cc: Wei Tjioe <wtjioe@cs.toronto.edu>, rhdb@sources.redhat.com
Subject: Re: problem with Configuring a Connection to a Database using Visual
 Explain
References: <Pine.GSO.4.58.0310012121530.10907@qew.cs> <3F7C859C.4060604@redhat.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2003-q4/txt/msg00005.txt.bz2

Fernando Nasser wrote:
> Wei,
> 
> The client side (in this case JDBC) is not aware of how the server 
> stores it's passwords.  They are sent clear text with either 'password' 
> or 'md5' -- they are stored encrypted in the server.  If you need more 
      ^^^^crypt
> security and don't want clear text passwords on the network make the 
> connection using SSL.  The JDBC driver supports SSL connection for some 
> time now.
> 

Sorry, I was thinking of crypt.  I forgot that we now have support for 
md5 and, of course, this means that the passwords may be encrypted 
before being sent over the wire.  In which case you don't need SSL (if 
just for that).

But the detection if the JDBC driver has to send md5 or clear text 
passwords (for password _and_ crypt) is done automatically.  The server 
tells the client how it wants the password.  The client program always 
pass it to JDBC as clear text.

Please note that JDBC drivers before 7.3 had a bug in md5 password 
encription.  I think it would only affect people with a different 
encoding in their locale, but to be in the safe side you should use 
drivers 7.3 on when using md5.

Your pg_hba file seems to be in a very old format (7.1.x perhaps).  What 
versions of PostgreSQL and of the JDBC driver are you using?

Regards,
Fernando

-- 
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9