On 03/14/2017 08:40 AM, Tom Lane wrote: > Joe Conway <m...@joeconway.com> writes: >> On 03/14/2017 03:15 AM, Heikki Linnakangas wrote: >>> It would be a lot more sensible, if there was a way to specify in >>> pg_hba.conf, "scram-or-md5". We punted on that for PostgreSQL 10, but >>> perhaps we should try to cram that in, after all. > >> I was also thinking about that. Basically a primary method and a >> fallback. If that were the case, a gradual transition could happen, and >> if we want \password to enforce best practice it would be ok. > > Why exactly would anyone want "md5 only"? I should think that "scram > only" is a sensible pg_hba setting, if the DBA feels that md5 is too > insecure, but I do not see the point of "md5 only" in 2017. I think > we should just start interpreting that as "md5 or better".
That certainly would work for me. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Description: OpenPGP digital signature