Re: WIP: SCRAM authentication

On 08/11/2015 09:35 AM, Robert Haas wrote:
> On Tue, Aug 11, 2015 at 12:29 PM, Josh Berkus <josh@agliodbs.com> wrote:
>> On 08/11/2015 07:28 AM, Robert Haas wrote:
>>> There may be a good answer to this question, but I don't think I've
>>> seen it spelled out clearly.
>>
>> Please see my follow-up post about making by-login-role migration easier
>> for users.
> 
> I read it, and now I've reread it, but I don't see how it addresses
> the points I raised.

I'm not disagreeing with your security argument, BTW, which is why I'm
trying to come up with ways that make it easy for users to switch to
SCRAM via gradual rollout.

You're suggesting, then, that the switchover should be relatively easy,
because drivers will support both MD5 and SCRAM, and once all drivers
support both, the DBA can just swap verifiers?

That makes sense if drivers go that way.  I'm concerned that some
drivers will have a different call for a SCRAM connection than for an
MD5 one; we'd want to exert our project influence to prevent that from
happening.

That also makes it a bit harder to test the new auth on a few app
servers before a general rollout, but there's ways around that.

-- 
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com