public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jonathan S. Katz <[email protected]>
To: Stephen Frost <[email protected]>
To: Peter Eisentraut <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Jeff Davis <[email protected]>
Cc: samay sharma <[email protected]>
Cc: [email protected]
Subject: Re: Proposal: Support custom authentication methods using hooks
Date: Wed, 2 Mar 2022 10:45:01 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On 3/2/22 10:30 AM, Stephen Frost wrote:
> Greetings,
>
> * Peter Eisentraut ([email protected]) wrote:
>> On 02.03.22 15:16, Jonathan S. Katz wrote:
>>>> I find that a lot of people are still purposely using md5. Removing it
>>>> now or in a year would be quite a disruption.
>>>
>>> What are the reasons they are still purposely using it? The ones I have
>>> seen/heard are:
>>>
>>> - Using an older driver
>>> - On a pre-v10 PG
>>> - Unaware of SCRAM
>>
>> I'm not really sure, but it seems like they are content with what they have
>> and don't want to bother with the new fancy stuff.
By that argument, we should have kept "password" (plain) as an
authentication method.
The specific use-cases I've presented are all solvable issues. The
biggest challenging with existing users is the upgrade process, which is
why I'd rather we begin a deprecation process and see if there are any
ways we can make the md5 => SCRAM transition easier.
> There were lots and lots of folks who were comfortable with
> recovery.conf, yet we removed that without any qualms from one major
> version to the next. md5 will have had 5 years of overlap with scram.
I do agree with Stephen in principle here. I encountered upgrade
challenges in this an challenge with updating automation to handle this
change.
>>> What I'm proposing above is to start the process of deprecating it as an
>>> auth method, which also allows to continue the education efforts to
>>> upgrae. Does that make sense?
>>
>> I'm not in favor of starting a process that will result in removal of the
>> md5 method at this time.
>
> I am.
+1 for starting this process. It may still take a few more years, but we
should help our users to move away from an auth method with known issues.
Thanks,
Jonathan
Attachments:
[application/pgp-signature] OpenPGP_signature (840B, ../[email protected]/2-OpenPGP_signature)
download
view thread (23+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Proposal: Support custom authentication methods using hooks
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox