Re: [HACKERS] scram and \password

On 03/17/2017 05:38 AM, Michael Paquier wrote:
> Regression tests are proving to be useful here (it would be nice to
> get those committed first!). I am noticing that this patch breaks
> connection for users with cleartext or md5-hashed verifier when
> "password" is used in pg_hba.conf.

Are you sure? It works for me.

Here's a slightly updated patch that includes required changes to the 
test case (now that those have been committed), and some re-wording in 
the docs, per Joe's suggestion. All the tests pass here.

> -# Most users use SCRAM authentication, but some users use older clients
> -# that don't support SCRAM authentication, and need to be able to log
> -# in using MD5 authentication. Such users are put in the @md5users
> -# group, everyone else must use SCRAM.
> +# Require SCRAM authentication for most users, but make an exception
> +# for user 'mike', who uses an older client that doesn't support SCRAM
> +# authentication.
>  #
>  # TYPE  DATABASE        USER            ADDRESS                 METHOD
> -host    all             @md5users       .example.com            md5
> +host    all             mike            .example.com            md5
> Why not still using @md5users?

The old example didn't make much sense, now that md5 means "md5 or 
scram". Could've still used @md5users, but I think this is more clear. 
The old explanation was wrong or at least misleading anyway, because 
@md5users doesn't refer to a group, but a flat file that lists roles.

- Heikki


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers