On 04/18/2017 11:15 AM, Simon Riggs wrote:
As a potential open item, if we treat "md5" as ">= md5"
should we not also treat "password" as ">=password"?

It seems strange that we still support "password" and yet tell
everyonenot to use it.

I'd like PG10 to be the version where I don't have to tell people not
to use certain things, hash indexes, "password" etc.

Between md5 and scram, the choice is easy, because a user can only have an MD5 hashed or SCRAM "hashed" password in pg_authid. So you present the client an MD5 challenge or a SCRAM challenge, depending on what the user has in pg_authid, or you error out without even trying. But "password" authentication can be used with any kind of a verifier in pg_authid. "password" authentication can be useful, for example, if a user has a SCRAM verifier in pg_authid, but the client doesn't support SCRAM.

You could argue that you shouldn't use it even in that situation, you should upgrade the client, or use SSL certs or an ssh tunnel or something else instead. But that's a very different argument than the one for treating "md5" as ">= md5".

Also note that LDAP and RADIUS authentication look identical to "password" authentication, on the wire. The only difference is that instead of checking the password against pg_authid, the server checks it against an LDAP or RADIUS server.

- Heikki

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to