public inbox for [email protected]
help / color / mirror / Atom feedFrom: Christoph Berg <[email protected]>
To: Stephen Frost <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: Devrim Gündüz <[email protected]>
Cc: Craig Ringer <[email protected]>
Cc: pgsql-pkg-yum <[email protected]>
Subject: Re: Can we stop defaulting to 'md5'?
Date: Thu, 28 May 2020 18:38:56 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]> <[email protected]>
Re: Stephen Frost
> postgresql.conf alone, but ultimately that's probably going to be up to
> what Christoph is comfortable with.
Re: Stephen Frost
> If you leave it as 'md5' in pg_hba.conf, then *that* will do either md5,
> or scram. If you have 'scram-sha-256' in pg_hba.conf and only an 'md5'
> password then it breaks.
Fwiw "comfortable" and "it breaks" are the problem here. The whole
picture is so utterly complicated that I'm still scared from reading
the docs the first time around the time PG10 came about. In trainings
I'm still telling people that md5 is the accepted standard because
there's enough more interesting things to teach about PostgreSQL.
Why do I have to decide *in pg_hba.conf* which hash algorithm is used?
Why can't that just be "password"?
The password_encryption GUC should be the only place concerned with
that, and it should only be used for new passwords. Existing passwords
should just continue to work. *That* would allow seamless upgrades.
Getting this mess fixed would be good for security because then people
will likely start using scram.
Christoph
view thread (54+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Can we stop defaulting to 'md5'?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox