Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jeOp6-0006Oj-Hu for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 28 May 2020 20:08:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1jeOp4-0006Qp-6J for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 28 May 2020 20:08:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jeOp4-0006Qi-1S for pgsql-pkg-yum@lists.postgresql.org; Thu, 28 May 2020 20:08:14 +0000 Received: from tamriel.snowman.net ([96.255.250.162]) by makus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1jeOp1-00086v-R1 for pgsql-pkg-yum@postgresql.org; Thu, 28 May 2020 20:08:12 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 984815F79E; Thu, 28 May 2020 16:08:10 -0400 (EDT) Date: Thu, 28 May 2020 16:08:10 -0400 From: Stephen Frost To: Peter Eisentraut Cc: Christoph Berg , Devrim =?iso-8859-1?B?R/xuZPx6?= , Craig Ringer , pgsql-pkg-yum Subject: Re: Can we stop defaulting to 'md5'? Message-ID: <20200528200810.GI6680@tamriel.snowman.net> References: <20200528163856.GB107313@msg.df7cb.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9iyR+p8Z2cn535Lj" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --9iyR+p8Z2cn535Lj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote: > On 2020-05-28 18:38, Christoph Berg wrote: > >Why do I have to decide*in pg_hba.conf* which hash algorithm is used? > >Why can't that just be "password"? > > > >The password_encryption GUC should be the only place concerned with > >that, and it should only be used for new passwords. Existing passwords > >should just continue to work.*That* would allow seamless upgrades. >=20 > You get that if you set the authentication method to "md5". (Clearly not= a > very clear name, but it exists.) Yeah, the way that was done really wasn't terribly good. Having 'password' or such, as Chritoph suggest, and then options for "require=3Dscram" / "require=3Dscram,md5" / nothing (to allow whatever..) would likely have been better, but that's not what we've got today so there isn't much point in debating it here. Thanks, Stephen --9iyR+p8Z2cn535Lj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJe0BoqAAoJEO1sijiDR2RVxIQP/1r8yxrT8ChAd4gzVRYJLPQ4 YcP1ebSp+s+ZA1HT059dw3Lr4jZJjTz9RTKvlM+GyuPl+UQy8jfRn8kef1akbH8S S1qoNZo9fdg6p4zO5SYZePa88WSGRjs20t9oBOvwPpXLE0H8kvNPs0tLymn4idv/ VPifDqz3Ja12t7d6l0+CPrHbk8G1NcU+8LZcq/nN6/SlMx51LQbeYlACgEedTa8l 3xpqYcL8P6TL424qJN1RUULTj+CVQs0rj5r36igNQkuvoQQpov5US+Hk6m65IVTu tLCBHjICpHIVgzUHqc9MGp/tr2nxFuXkQqqeoc55nd7RodfZ81BRrvZMrCbv3Kxs uZABi7R0vStJy6AzxKqlCqbwQHBPIGky4d8vL2uaLbIhpFkHhmfFV3ZyN5QPbO9h zS+lIzOMd7UbCilsY7hLpCwKKRS91kw13lMOjykQCcUSQu7oOLr5AQlKXg6uQag9 a482dFdkxK/VQj95iMTnrrMzV5wDnP394XVKnVD5zpc3czSPURrwu1PQ9KJEzJsf bWiaI63e+cR7IQQNemOP/VjLg6XeR01aHntT2gcDuzNitEASM3FjRPxg2j4h06wb j/FuFgLNNlx3Z9v1BffjvslnxeeUbJ6g+fp5w6U6lsKSyt3eGNfjfXo7CxLDqveT /fYBEGVAbF8FFUG+ooUW =Kzji -----END PGP SIGNATURE----- --9iyR+p8Z2cn535Lj--