On 03/17/2017 05:38 AM, Michael Paquier wrote:
Regression tests are proving to be useful here (it would be nice to get those committed first!). I am noticing that this patch breaks connection for users with cleartext or md5-hashed verifier when "password" is used in pg_hba.conf.
Are you sure? It works for me.Here's a slightly updated patch that includes required changes to the test case (now that those have been committed), and some re-wording in the docs, per Joe's suggestion. All the tests pass here.
-# Most users use SCRAM authentication, but some users use older clients -# that don't support SCRAM authentication, and need to be able to log -# in using MD5 authentication. Such users are put in the @md5users -# group, everyone else must use SCRAM. +# Require SCRAM authentication for most users, but make an exception +# for user 'mike', who uses an older client that doesn't support SCRAM +# authentication. # # TYPE DATABASE USER ADDRESS METHOD -host all @md5users .example.com md5 +host all mike .example.com md5 Why not still using @md5users?
The old example didn't make much sense, now that md5 means "md5 or scram". Could've still used @md5users, but I think this is more clear. The old explanation was wrong or at least misleading anyway, because @md5users doesn't refer to a group, but a flat file that lists roles.
- Heikki
0001-Allow-SCRAM-authentication-when-pg_hba.conf-says-md5-2.patch
Description: application/download
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
