Re: [HACKERS] SCRAM authentication, take three

On 4/9/17 19:19, Noah Misch wrote:
> These are the two chief approaches I'm seeing:
> 
> 1. scram-sha-256, scram-sha-256-plus, and successors will be their own
>    pg_hba.conf authentication methods.  Until and unless someone implements an
>    ability to name multiple methods per HBA line, you must choose exactly one
>    SASL method.  The concrete work for v10 would be merely renaming "scram" to
>    "scram-sha-256".

I like that.

> 2. Create a multiplexed authentication method like "sasl" or "scram" (not to
>    be confused with today's "scram" method, which denotes SCRAM-SHA-256
>    precisely).  The DBA permits concrete methods like scram-sha-256 via HBA
>    option.  Absent that option, the system could default to a reasonable list.

The problem with that approach is that you would then eventually need
yet another place like pg_hba.conf to configure which SASL mechanisms to
use under which circumstances.  pg_hba.conf is already that place for
the Legacy Authentication and Security Layer, so it could be that place
for SASL as well.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services