Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tXRFE-006vEY-FY
	for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 20:41:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tXRFC-00D4ng-UY
	for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 20:41:07 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tXRFC-00D4nW-K1
	for pgsql-general@lists.postgresql.org; Mon, 13 Jan 2025 20:41:07 +0000
Received: from mail.hjp.at ([212.17.106.138] helo=rorschach.hjp.at)
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tXRF9-000El9-0C
	for pgsql-general@lists.postgresql.org;
	Mon, 13 Jan 2025 20:41:06 +0000
Received: by rorschach.hjp.at (Postfix, from userid 1000)
	id F390B66ABF; Mon, 13 Jan 2025 21:41:00 +0100 (CET)
Date: Mon, 13 Jan 2025 21:41:00 +0100
From: "Peter J. Holzer" <hjp-pgsql@hjp.at>
To: pgsql-general@lists.postgresql.org
Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256
Message-ID: <20250113204100.qpz6qpqrydtvydiq@hjp.at>
Mail-Followup-To: pgsql-general@lists.postgresql.org
References: <20250112222828.b36hpzm3ulfzlkws@hjp.at>
 <372571.1736722760@sss.pgh.pa.us>
 <CANzqJaDxwg_zS3LKZPq1Yj_sJV-T_qWT=mCF-ptEOcDHUJ+nzQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="wavd5ei3wjin6ou3"
Content-Disposition: inline
In-Reply-To: <CANzqJaDxwg_zS3LKZPq1Yj_sJV-T_qWT=mCF-ptEOcDHUJ+nzQ@mail.gmail.com>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/20250113204100.qpz6qpqrydtvydiq%40hjp.at>
Precedence: bulk


--wavd5ei3wjin6ou3
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2025-01-13 12:19:06 -0500, Ron Johnson wrote:
> On Sun, Jan 12, 2025 at 5:59=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrot=
e:
> =C2=A0[snip]
>=20
>     I think this idea is a nonstarter, TLS or not.=C2=A0 We're generally =
moving
>     in the direction of never letting the server see cleartext passwords.
>     It's already possible to configure libpq to refuse such requests
>     (see require_auth parameter), although that hasn't been made the
>     default.
>=20
>=20
> ALTER ROLE xxx WITH PASSWORD accepts hashed values, so a client with the
> SCRAM-SHA algorithm could:
> 1. remember the password that was just used to log in,
> 2. generate the new hash,=C2=A0
> 3. send that as an ALTER ROLE statement.

Modifying the client to re-set the password is actually something I
thought about. There are some technical unknowns (e.g. is
PQencryptPasswordConn accessible through ODBC?) and some organisational
difficulties (e.g. can we get the customers to upgrade to the newest
version?), but I guess in our case it would be doable. But in general
changing every to client to upgrade the password doesn't seem feasible.
Unless maybe you are proposing that libpq should do that? That might
work, but it probably also shouldn't do it by default.

        hp


--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--wavd5ei3wjin6ou3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmeFelYACgkQ8g5IURL+
KF0QKg//d6hxP5kmZDrYSYK+QvJvUvfQS9seOneQR/3bGlTxcC4j3ogK3vE2kQhu
IXq/jHPu1E/9OB3IKC5ApaJ/2QjbToR0b2u8XOB2499xAxqEpZ3Bo2+mevJmyQKz
8MO3EPi4qgUEfjjN4AhOZhEQJP+OrRjsWzeVRfufcXBVBabZKufCJ9rTSTQ+nERb
USoknzuTPnjmwEnW2oYppZWi3IuVOLHpq4lSKp4GhR7nMf7cLcqvcvMDII3bxCf/
lFzm1ydPGcShL7zhyU3+N48WDDuSbFqfGoL5Itc/6O57T9C4zOp9gZ/BDj7SLr8G
evfORtzejz5UPSaOwS6lNDIJMfuwFgXfANbdNpG1GsVpv7o0L1fYfydOoKY8bU5f
PyU01q1hfTVd4hPq+YXGEKBpQiFM6dZh7mxIFhJtPqBSx0RGUPxw6LLcNTPTKMuK
TParOTWgdkhGcvyav2n9ldaY+6s/6Eww9/R5yzbV/UGKok9CAmPgJR7yzXb++ORG
2ogNyshzSE1DBDNT0467mJy+hz8wscJCE54VRgBWOw50ABqdTHli8cIoc+4uVHsJ
FT+fG91NJ9ZvNIC5bn1+QL4UQlsDqDgN+k3wE3ai5CDIj5LGv23ZZMfpis1e8L4J
p4+/tjaEKYhuQSAKStjLobZLn6eqZoT0RWx0Q4wVe5uT59kt9oQ=
=TzFv
-----END PGP SIGNATURE-----

--wavd5ei3wjin6ou3--