Heikki Linnakangas <hlinn...@iki.fi> writes: > On 05/03/2017 07:14 PM, Tom Lane wrote: >> Is it possible that there are still client libraries that don't support >> password encryption at all? If so, are we willing to break them? >> I'd say "yes" but it's worth thinking about.
> That doesn't make sense. The client doesn't even know what > password_encryption is set to. I think you're confusing > password_encryption='plain' with the plaintext "password" authentication > method. Ah, you're right. > If the server has an MD5 hash stored in pg_authid, the server will ask > the client to do MD5 authentication. If the server has a SCRAM verifier > in pg_authid, it will ask the client to do SCRAM authentication. If the > server has a plaintext password in pg_authid, it will also ask the > client to do SCRAM authentication (it could ask for MD5 authentication, > but as the code stands, it will ask for SCRAM). Um. That would be a backwards compatibility break ... but it doesn't matter if we get rid of the option to store in plaintext. The other question I can think to ask is what will happen during pg_upgrade, given an existing installation with one or more passwords stored plain. If the answer is "silently convert to MD5", I'd be good with that. regards, tom lane -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers