On 03/17/2017 05:38 AM, Michael Paquier wrote:
Regression tests are proving to be useful here (it would be nice to get those committed first!). I am noticing that this patch breaks connection for users with cleartext or md5-hashed verifier when "password" is used in pg_hba.conf.
Are you sure? It works for me.Here's a slightly updated patch that includes required changes to the test case (now that those have been committed), and some re-wording in the docs, per Joe's suggestion. All the tests pass here.
-# Most users use SCRAM authentication, but some users use older clients -# that don't support SCRAM authentication, and need to be able to log -# in using MD5 authentication. Such users are put in the @md5users -# group, everyone else must use SCRAM. +# Require SCRAM authentication for most users, but make an exception +# for user 'mike', who uses an older client that doesn't support SCRAM +# authentication. # # TYPE DATABASE USER ADDRESS METHOD -host all @md5users .example.com md5 +host all mike .example.com md5 Why not still using @md5users?
The old example didn't make much sense, now that md5 means "md5 or scram". Could've still used @md5users, but I think this is more clear. The old explanation was wrong or at least misleading anyway, because @md5users doesn't refer to a group, but a flat file that lists roles.
-- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers