On Wed, Jun 06, 2018 at 11:53:06PM +0300, Heikki Linnakangas wrote: > That would certainly be good. We've always had that problem, even with md5 > -> plaintext password downgrade, and it would be nice to fix it. It's quite > late in the release cycle already, do you think we should address that now? > I could go either way..
I would be inclined to treat that as new development as this is no new problem. Still that's linked with what is discussed on this thread with scram_channel_bindin_mode. > What should the option look like? Perhaps something like: > > allowed_authentication_methods=md5,SCRAM-SHA-256,SCRAM-SHA-256-PLUS That's actually a discussion I had with somebody after my talk at PGCon, and I suggested a comma-separate list of authorized protocols as well, except that those could just map to the hba entries, and that each entry could just be lower-case :) -- Michael
signature.asc
Description: PGP signature
