Joe Conway <m...@joeconway.com> writes: > On 03/14/2017 03:15 AM, Heikki Linnakangas wrote: >> If the server isn't set up to do SCRAM authentication, i.e. there are no >> "scram" entries in pg_hba.conf, and you set yourself a SCRAM verifier, >> you have just locked yourself out of the system. I think that's a >> non-starter. There needs to be some more intelligence in the decision.
> Yes, this was exactly my concern. This seems like a serious usability fail. >> It would be a lot more sensible, if there was a way to specify in >> pg_hba.conf, "scram-or-md5". We punted on that for PostgreSQL 10, but >> perhaps we should try to cram that in, after all. > I was also thinking about that. Basically a primary method and a > fallback. If that were the case, a gradual transition could happen, and > if we want \password to enforce best practice it would be ok. Why exactly would anyone want "md5 only"? I should think that "scram only" is a sensible pg_hba setting, if the DBA feels that md5 is too insecure, but I do not see the point of "md5 only" in 2017. I think we should just start interpreting that as "md5 or better". regards, tom lane -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers