On Mon, Sep 26, 2016 at 9:22 PM, David Steele <da...@pgmasters.net> wrote: > On 9/26/16 4:54 AM, Heikki Linnakangas wrote: >> Hmm. The server could send a SCRAM challenge first, and if the client >> gives an incorrect response, or the username doesn't exist, or the >> user's password is actually MD5-encrypted, the server could then send an >> MD5 challenge. It would add one round-trip to the authentication of MD5 >> passwords, but that seems acceptable.
I don't think that this applies just to md5 or scram. Could we for example use a connection parameter, like expected_auth_methods to do that? We include that in the startup packet if the caller has defined it, then the backend checks for matching entries in pg_hba.conf using the username, database and the expected auth method if specified. -- Michael -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers