Search Postgresql Archives

Re: vulnerability/SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
A possible countermeasure on Windows platform,
inspired by Magnus.Thanks ;)
First we remove the passphrase from the key file,
making it plain.
Windows provides a feature "encrypted file system",
provide transparent encryption/decryption. We can log
on using the account we run Postgres with and encrypt
the plaintext key file. Then we logon using another
non-amin account, and start postgres using "runas"
service. Therefore the file is encrypted, only the
Postgres acount and the recovery agent(built-in
administrator by default) can read/modify it. The file
will remain encrypted when restored from backup. 
I've tested it on my computer and it works.

cheers,
Changyu

--- dong changyu <dcy1_1999@xxxxxxxxx> wrote:

> Hi,
> I¡¯m using postgreSQL with SSL these days. The
> version
> I¡¯m using is 8.0.3. I found that it¡¯s impossible
> to
> use an encrypted key file. 
> When you use a protected server.key file, you will
> be
> prompted to input your passphrase EVERYTIME IT¡¯S
> USED, not only when you start the server but also
> when
> a client makes a connection. So you have to leave
> the
> key file un-protected. I think it¡¯s a serious
> vulnerability since the security relies on the
> secrecy
> of the private key. Without encryption, the only
> thing
> we can use to protect the private key is the access
> control mechanism provided by the OS.
> Any comments on this issue?
> 
> cheers,
> Changyu
> 
> 
> 
> 		
> __________________________________ 
> Discover Yahoo! 
> Have fun online with music videos, cool games, IM
> and more. Check it out! 
> http://discover.yahoo.com/online.html
> 
> ---------------------------(end of
> broadcast)---------------------------
> TIP 6: Have you searched our list archives?
> 
>                http://archives.postgresql.org
> 



		
__________________________________ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html 


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@xxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux