On 4/9/17 19:19, Noah Misch wrote: > These are the two chief approaches I'm seeing: > > 1. scram-sha-256, scram-sha-256-plus, and successors will be their own > pg_hba.conf authentication methods. Until and unless someone implements an > ability to name multiple methods per HBA line, you must choose exactly one > SASL method. The concrete work for v10 would be merely renaming "scram" to > "scram-sha-256".
I like that. > 2. Create a multiplexed authentication method like "sasl" or "scram" (not to > be confused with today's "scram" method, which denotes SCRAM-SHA-256 > precisely). The DBA permits concrete methods like scram-sha-256 via HBA > option. Absent that option, the system could default to a reasonable list. The problem with that approach is that you would then eventually need yet another place like pg_hba.conf to configure which SASL mechanisms to use under which circumstances. pg_hba.conf is already that place for the Legacy Authentication and Security Layer, so it could be that place for SASL as well. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers