| From: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
|---|---|
| To: | sfrost(at)snowman(dot)net |
| Cc: | ishii(at)sraoss(dot)co(dot)jp, michael(dot)paquier(at)gmail(dot)com, robertmhaas(at)gmail(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SCRAM auth and Pgpool-II |
| Date: | 2017-07-14 00:09:26 |
| Message-ID: | 20170714.090926.2300997196168224053.t-ishii@sraoss.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>> Using a clear text password would not be acceptable for users even
>> through an encrypted connection, I think.
>
> Really, I don't think users who are concerned with security should be
> using the md5 method either.
The comment in pg_hba.conf.sample seem to prefer md5 over clear text
password.
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
> What would be really nice for such cases is support for Kerberos and
> delegated Kerberos credentials. Having pgpool support that would remove
> the need to deal with passwords at all.
>
> Ditto for having postgres_fdw support same. More often than not,
> Kerberos deployments (via AD, generally) is what I find in the
> enterprises that I work with and they're happy to see we have Kerberos
> but it's disappointing when they can't use Kerberos with either
> connection poolers or with FDWs.
I would add supporting Kerberos to the Pgpool-II todo list.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Langote | 2017-07-14 00:40:17 | Re: Update description of \d[S+] in \? |
| Previous Message | Stephen Frost | 2017-07-13 22:34:19 | Re: pg_stop_backup(wait_for_archive := true) on standby server |