On Wed, Apr 26, 2017 at 12:20 AM, Bruce Momjian <br...@momjian.us> wrote: > On Tue, Apr 25, 2017 at 02:39:40PM +0900, Michael Paquier wrote: >> <para> >> Add <link linkend="auth-pg-hba-conf"><literal>SCRAM-SHA-256</></> >> support for password negotiation and storage (Michael >> Paquier, Heikki Linnakangas) >> </para> >> <para> >> This proves better security than the existing 'md5' negotiation and >> storage method. >> </para> >> This is quite vague... > > Can you give me better text? I can't think of any.
Sure, here is an idea: Add support for SASL authentication using protocol mechanism SCRAM-SHA-256 per RFC 5802 and 7677. (adding a reference to the RFCs with a link seems important to me). SCRAM-SHA-256 improves deficiencies of MD5 password hashing by preventing any kind of pass-the-hash vulnerabilities, where a user would be able to connect to a PostgreSQL instance by just knowing the hash of a password and not the password itself. -- Michael -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers