On Fri, Apr 14, 2017 at 8:28 PM, Craig Ringer <craig.rin...@2ndquadrant.com> wrote: > There's no point advertising scram-512 if only -256 can work for 'bob' > because that's what we have in pg_authid.
The possibility to have multiple verifiers has other benefits than that, password rolling being one. We may want to revisit that once there is a need to have a pg_auth_verifiers, my intuition on the matter is that we are years away from it, but we'll very likely need it for more reasons than the one you are raising here. > Yes, filtering the advertised mechs exposes info. But not being able to log > in if you're the legitimate user without configuring the client with your > password hash format would suck too. Yup. -- Michael -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers