On Wed, Mar 30, 2016 at 9:46 AM, Michael Paquier <michael.paqu...@gmail.com> wrote: >> Things I noticed: >> 1. >> when using either >> CREATE ROLE >> ALTER ROLE >> with the parameter >> ENCRYPTED >> md5 encryption is always assumed (I've come to realize that UNENCRYPTED >> always equals plain and, in the past, ENCRYPTED equaled md5 since there were >> no other options) > > Yes, that's to match the current behavior, and make something fully > backward-compatible. Switching to md5 + scram may have made sense as > well though.
I think we're not going to have much luck getting people to switch over to SCRAM if the default remains MD5. Perhaps there should be a GUC for this - and we can initially set that GUC to md5, allowing people who are ready to adopt SCRAM to change it. And then in a later release we can change the default, once we're pretty confident that most connectors have added support for the new authentication method. This is going to take a long time to roll out. Alternatively, we could control it strictly through DDL. Note that the existing behavior is pretty wonky: alter user rhaas unencrypted password 'foo'; -> rolpassword foo alter user rhaas encrypted password 'foo'; -> rolpassword md5e748797a605a1c95f3d6b5f140b2d528 alter user rhaas encrypted password 'md5e748797a605a1c95f3d6b5f140b2d528'; -> rolpassword md5e748797a605a1c95f3d6b5f140b2d528 alter user rhaas unencrypted password 'md5e748797a605a1c95f3d6b5f140b2d528'; -> rolpassword md5e748797a605a1c95f3d6b5f140b2d528 So basically the use of the ENCRYPTED keyword means "if it does already seem to be the sort of MD5 blob we're expecting, turn it into that". And we just rely on the format to distinguish between an MD5 verifier and an unencrypted password. Personally, I think a good start here, and I think you may have something like this in the patch already, would be to split rolpassword into two columns, say rolencryption and rolpassword. rolencryption says how the password verifier is encrypted and rolpassword contains the verifier itself. Initially, rolencryption will be 'plain' or 'md5', but later we can add 'scram' as another choice, or maybe it'll be more specific like 'scram-hmac-doodad'. And then maybe introduce syntax like this: alter user rhaas set password 'raw-unencrypted-passwordt' using 'verifier-method'; alter user rhaas set password verifier 'verifier-goes-here' using 'verifier-method'; That might require making verifier a key word, which would be good to avoid. Perhaps we could use "password validator" instead? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers