public inbox for [email protected]
help / color / mirror / Atom feedFrom: Stephen Frost <[email protected]>
To: Christoph Berg <[email protected]>
To: Devrim Gündüz <[email protected]>
To: Craig Ringer <[email protected]>
To: pgsql-pkg-yum <[email protected]>
Subject: Re: Can we stop defaulting to 'ident'?
Date: Fri, 20 Dec 2019 10:21:01 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Greetings,
* Christoph Berg ([email protected]) wrote:
> Re: Stephen Frost 2019-12-20 <[email protected]>
> > SCRAM is *definitely* better and I strongly support us moving to it,
> > provided it doesn't break anything existing (which it generally
> > shouldn't... but maybe there's some weird edge cases, or possibly older
> > clients, but still, at some point, we need to move this default to be
> > SCRAM).
>
> TBH I haven't really read the manual section about md5-scram
> compatibility yet, but from memory, there's a lot of footnotes that
> need to be taken into account before the switch can be flipped, if
> upgrades from old servers are to be supported. The process sounds
> scary and painful.
This depends on which 'switch' we are talking about flipping and how
things like passwords are managed today and such...
I encourage reading through the documentation, of course, but my
recollection off-hand is that 'scram' in pg_hba.conf will happily work
with stored md5 passwords too as a fall-back. Changing how passwords
are stored is actually not related to pg_hba.conf but rather to the
password encryption GUC, which we would want to change because otherwise
you don't actually get any real improvement in security. The default
for that continues to be 'md5' from PG though and Debian doesn't
currently change it. I do worry there might be an issue with older
pre-scram-supporting clients/libraries, haven't looked at that recently.
Thanks,
Stephen
Attachments:
[application/pgp-signature] signature.asc (819B, 2-signature.asc)
download
view thread (54+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Can we stop defaulting to 'ident'?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox