| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Date: | 2019-04-23 14:43:06 |
| Message-ID: | 20190423144306.GQ6197@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Greetings,
* Michael Paquier (michael(at)paquier(dot)xyz) wrote:
> On Mon, Apr 22, 2019 at 09:52:15AM -0400, Stephen Frost wrote:
> > I recall having exactly that debate when SCRAM was being worked on and
> > the push-back basically being that it was more work and we'd have to
> > have additional syntax for ALTER USER, et al. I wish I had had more
> > time to spend on that discussion. Water under the bridge now, but
> > hopefully we learn from this and maybe someone refactors how this works
> > sometime soon (or, at least, whenever we add the next password
> > encoding).
>
> I am not sure that this would have been more work for ALTER TABLE as
> we could have relied on just password_encryption to do the work as we
> do now. The reluctance was to have more additional columns in
> pg_authid as far as I recall, and I sided with having a separate
> catalog, and more independent verifier type checks in the catalogs, as
> you may recall, which would have also eased password rollups for a
> given role.
Yes, having an indepedent catalog table would have been a good approach
too, much better than where we're at now. I hope someone has time to
work on that for a future version.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-04-23 14:55:28 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Previous Message | Stephen Frost | 2019-04-23 14:42:00 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |