2015-12-20 18:37 GMT+01:00 oleg yusim <olegyu...@gmail.com>: > Tom, > > I understand the idea that for external communication you rely on SSL. > However, how about me opening psql prompt into the database directly from > my Linux box, my db is installed at? I thought, it would be considered > local connection and would not go through the SSL channels. If that is the > case, here we would be dealing with Session IDs belonging to DB itself, not > OpenSSL. >
all necessary data are stored local in process memory. No session ID is required. Pavel > > Please, correct me if I'm wrong. > > Thanks, > > Oleg > > On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > >> oleg yusim <olegyu...@gmail.com> writes: >> > Got it, thanks... Now, is it any protection in place currently against >> > replacing Session ID (my understanding, it is kept in memory, belonging >> to >> > the session process) or against guessing Session ID (i.e. is Session ID >> > generated using FIPS 140-2 compliant algorithms, or anything of that >> sort)? >> >> I don't think Postgres even has any concept that matches what you seem >> to think a Session ID is. >> >> If you're looking for communication security/integrity checking, that's >> something we leave to other software such as SSL. >> >> regards, tom lane >> > >
