On 03/17/2017 05:38 AM, Michael Paquier wrote:
Regression tests are proving to be useful here (it would be nice to
get those committed first!). I am noticing that this patch breaks
connection for users with cleartext or md5-hashed verifier when
"password" is used in pg_hba.conf.


Are you sure? It works for me.

Here's a slightly updated patch that includes required changes to the test case (now that those have been committed), and some re-wording in the docs, per Joe's suggestion. All the tests pass here.

-# Most users use SCRAM authentication, but some users use older clients
-# that don't support SCRAM authentication, and need to be able to log
-# in using MD5 authentication. Such users are put in the @md5users
-# group, everyone else must use SCRAM.
+# Require SCRAM authentication for most users, but make an exception
+# for user 'mike', who uses an older client that doesn't support SCRAM
+# authentication.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    all             @md5users       .example.com            md5
+host    all             mike            .example.com            md5
Why not still using @md5users?

The old example didn't make much sense, now that md5 means "md5 or scram". Could've still used @md5users, but I think this is more clear. The old explanation was wrong or at least misleading anyway, because @md5users doesn't refer to a group, but a flat file that lists roles.

- Heikki

Attachment: 0001-Allow-SCRAM-authentication-when-pg_hba.conf-says-md5-2.patch
Description: application/download

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to