Re: Can we stop defaulting to 'ident'?
| От | Stephen Frost |
|---|---|
| Тема | Re: Can we stop defaulting to 'ident'? |
| Дата | |
| Msg-id | 20191220152101.GS3195@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: Can we stop defaulting to 'ident'? (Christoph Berg <myon@debian.org>) |
| Список | pgsql-pkg-yum |
Greetings, * Christoph Berg (myon@debian.org) wrote: > Re: Stephen Frost 2019-12-20 <20191220150644.GO3195@tamriel.snowman.net> > > SCRAM is *definitely* better and I strongly support us moving to it, > > provided it doesn't break anything existing (which it generally > > shouldn't... but maybe there's some weird edge cases, or possibly older > > clients, but still, at some point, we need to move this default to be > > SCRAM). > > TBH I haven't really read the manual section about md5-scram > compatibility yet, but from memory, there's a lot of footnotes that > need to be taken into account before the switch can be flipped, if > upgrades from old servers are to be supported. The process sounds > scary and painful. This depends on which 'switch' we are talking about flipping and how things like passwords are managed today and such... I encourage reading through the documentation, of course, but my recollection off-hand is that 'scram' in pg_hba.conf will happily work with stored md5 passwords too as a fall-back. Changing how passwords are stored is actually not related to pg_hba.conf but rather to the password encryption GUC, which we would want to change because otherwise you don't actually get any real improvement in security. The default for that continues to be 'md5' from PG though and Debian doesn't currently change it. I do worry there might be an issue with older pre-scram-supporting clients/libraries, haven't looked at that recently. Thanks, Stephen
Вложения
В списке pgsql-pkg-yum по дате отправления: