Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1iiK5T-0004Oj-CH
	for pgsql-pkg-yum@arkaria.postgresql.org; Fri, 20 Dec 2019 15:21:07 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1iiK5S-0003dl-3H
	for pgsql-pkg-yum@arkaria.postgresql.org; Fri, 20 Dec 2019 15:21:06 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1iiK5R-0003de-SH
	for pgsql-pkg-yum@lists.postgresql.org; Fri, 20 Dec 2019 15:21:05 +0000
Received: from tamriel.snowman.net ([2001:470:e38f::11])
	by magus.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1iiK5P-0001WU-0y
	for pgsql-pkg-yum@postgresql.org; Fri, 20 Dec 2019 15:21:05 +0000
Received: by tamriel.snowman.net (Postfix, from userid 1000)
	id 4826A5F799; Fri, 20 Dec 2019 10:21:01 -0500 (EST)
Date: Fri, 20 Dec 2019 10:21:01 -0500
From: Stephen Frost <sfrost@snowman.net>
To: Christoph Berg <myon@debian.org>,
	Devrim =?iso-8859-1?B?R/xuZPx6?= <devrim@gunduz.org>,
	Craig Ringer <craig@2ndquadrant.com>,
	pgsql-pkg-yum <pgsql-pkg-yum@postgresql.org>
Subject: Re: Can we stop defaulting to 'ident'?
Message-ID: <20191220152101.GS3195@tamriel.snowman.net>
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
 <77df509da61adaebca6c5f0451f1c1616f1faa45.camel@gunduz.org>
 <20191220103240.GB9564@msg.df7cb.de>
 <20191220150644.GO3195@tamriel.snowman.net>
 <20191220151535.GE9564@msg.df7cb.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="4hvAEPussNf0ZjKL"
Content-Disposition: inline
In-Reply-To: <20191220151535.GE9564@msg.df7cb.de>
User-Agent: Mutt/1.5.24 (2015-08-30)
List-Id: <pgsql-pkg-yum.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-yum@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-yum-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-yum>
Precedence: bulk


--4hvAEPussNf0ZjKL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings,

* Christoph Berg (myon@debian.org) wrote:
> Re: Stephen Frost 2019-12-20 <20191220150644.GO3195@tamriel.snowman.net>
> > SCRAM is *definitely* better and I strongly support us moving to it,
> > provided it doesn't break anything existing (which it generally
> > shouldn't...  but maybe there's some weird edge cases, or possibly older
> > clients, but still, at some point, we need to move this default to be
> > SCRAM).
>=20
> TBH I haven't really read the manual section about md5-scram
> compatibility yet, but from memory, there's a lot of footnotes that
> need to be taken into account before the switch can be flipped, if
> upgrades from old servers are to be supported. The process sounds
> scary and painful.

This depends on which 'switch' we are talking about flipping and how
things like passwords are managed today and such...

I encourage reading through the documentation, of course, but my
recollection off-hand is that 'scram' in pg_hba.conf will happily work
with stored md5 passwords too as a fall-back.  Changing how passwords
are stored is actually not related to pg_hba.conf but rather to the
password encryption GUC, which we would want to change because otherwise
you don't actually get any real improvement in security.  The default
for that continues to be 'md5' from PG though and Debian doesn't
currently change it.  I do worry there might be an issue with older
pre-scram-supporting clients/libraries, haven't looked at that recently.

Thanks,

Stephen

--4hvAEPussNf0ZjKL
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJd/ObcAAoJEO1sijiDR2RVdyMP/iQjbLj/Yerl1zH8Ka4lrMZN
R3INe61TUMoKgLD3BoW75bI2d3EM5/cDU5Yit6ytOi5dMCXy3Qa0Tzu9Az3zrBkF
XxDEY36fRRPAp7spCvPUVTpnrhR9QqXU2l2LdQ9X99WTPtEg0oiDrtCfPwYQJJSG
ckiZfHmvgoFaSiaWdHgC4Hcms9q4zVpJcNgj0lSFUQ8wAItFRH182XQpunn578PN
W5lBinCLmpSNNcQd0k3WUv8NvcvSxbnK5AaJHa4+KjVo2Bu66S8Ym54989eULavI
8JKqvhX4iniwy+oGQFW4efT1yymwuh9zYdkON51/eXWRfYo6Kzb11Wd7OaMWPKfD
A59K9lRSGQtweAihq+mYTEDuvwIAL0ipeL/2K0NM2gB36FSiA/wmnEYEzexY5tGw
MHSn0oYAp3eBDesXjlEO09jWc/cwl4s/GgrE5H7TW/BY8A5XKdj/cyYceTQagp8d
7gLNoG3qAkte3+3WN3ttXBx1OOU/bMzV09zcFzza1pLr/OV9LXUfDh8McwsHbPD6
wOZ0b+63vsNfnb/p8huUBZSQ0T/QZFlCWfWAXS/51Qdb8KxwFkG1NN4XAl+lk3TM
BDHwR87zBdVbABY0Ws1baDIDuO0M7qGa8f/VOS1ZVfipdwipFvugkkew2pWbWpzm
T5J/BcjNbwf8ZxCMV63O
=bjFI
-----END PGP SIGNATURE-----

--4hvAEPussNf0ZjKL--