On Mon, Sep 26, 2016 at 9:22 PM, David Steele <da...@pgmasters.net> wrote:
> On 9/26/16 4:54 AM, Heikki Linnakangas wrote:
>> Hmm. The server could send a SCRAM challenge first, and if the client
>> gives an incorrect response, or the username doesn't exist, or the
>> user's password is actually MD5-encrypted, the server could then send an
>> MD5 challenge. It would add one round-trip to the authentication of MD5
>> passwords, but that seems acceptable.

I don't think that this applies just to md5 or scram. Could we for
example use a connection parameter, like expected_auth_methods to do
that? We include that in the startup packet if the caller has defined
it, then the backend checks for matching entries in pg_hba.conf using
the username, database and the expected auth method if specified.

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to