| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: WIP: SCRAM authentication |
| Date: | 2015-08-11 18:00:18 |
| Message-ID: | 55CA3832.2050007@agliodbs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 08/11/2015 10:06 AM, Robert Haas wrote:
> On Tue, Aug 11, 2015 at 12:49 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>> That makes sense if drivers go that way. I'm concerned that some
>> drivers will have a different call for a SCRAM connection than for an
>> MD5 one; we'd want to exert our project influence to prevent that from
>> happening.
>
> I'm not sure that would be a disaster, but do any existing drivers
> have a different call for a cleartext password
> (pg_hba.conf='password') than they do for an MD5 password
> (pg_hba.conf='md5')? If not, I'm not sure why they'd add that just
> because there is now a third way of doing password-based
> authentication.
Well, there is a different send-and-response cycle to the SCRAM
approach, no? Plus, I've seen driver authors do strange things in the
past, including PHP's various drivers and pypgsql, which IIRC required
you to manually pick a protocol version. I'm not saying we should plan
for bad design, we should just get the word out to driver authors that
we think it would be a good idea to support both methods transparently.
>> That also makes it a bit harder to test the new auth on a few app
>> servers before a general rollout, but there's ways around that.
>
> Well, staging servers are a good idea...
Don't get me started. :-b
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2015-08-11 18:35:49 | Re: WIP: SCRAM authentication |
| Previous Message | Steve Thames | 2015-08-11 17:59:36 | Re: pg_dump and search_path |