Re: WIP: SCRAM authentication
| От | Josh Berkus |
|---|---|
| Тема | Re: WIP: SCRAM authentication |
| Дата | |
| Msg-id | 55CA3832.2050007@agliodbs.com обсуждение исходный текст |
| Ответ на | WIP: SCRAM authentication (Heikki Linnakangas <hlinnaka@iki.fi>) |
| Список | pgsql-hackers |
On 08/11/2015 10:06 AM, Robert Haas wrote: > On Tue, Aug 11, 2015 at 12:49 PM, Josh Berkus <josh@agliodbs.com> wrote: >> That makes sense if drivers go that way. I'm concerned that some >> drivers will have a different call for a SCRAM connection than for an >> MD5 one; we'd want to exert our project influence to prevent that from >> happening. > > I'm not sure that would be a disaster, but do any existing drivers > have a different call for a cleartext password > (pg_hba.conf='password') than they do for an MD5 password > (pg_hba.conf='md5')? If not, I'm not sure why they'd add that just > because there is now a third way of doing password-based > authentication. Well, there is a different send-and-response cycle to the SCRAM approach, no? Plus, I've seen driver authors do strange things in the past, including PHP's various drivers and pypgsql, which IIRC required you to manually pick a protocol version. I'm not saying we should plan for bad design, we should just get the word out to driver authors that we think it would be a good idea to support both methods transparently. >> That also makes it a bit harder to test the new auth on a few app >> servers before a general rollout, but there's ways around that. > > Well, staging servers are a good idea... Don't get me started. :-b -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com
В списке pgsql-hackers по дате отправления: