Re: SCRAM authentication, take three

On 4/9/17 19:19, Noah Misch wrote:
> These are the two chief approaches I'm seeing:
>
> 1. scram-sha-256, scram-sha-256-plus, and successors will be their own
> pg_hba.conf authentication methods. Until and unless someone implements an
> ability to name multiple methods per HBA line, you must choose exactly one
> SASL method. The concrete work for v10 would be merely renaming "scram" to
> "scram-sha-256".

I like that.

> 2. Create a multiplexed authentication method like "sasl" or "scram" (not to
> be confused with today's "scram" method, which denotes SCRAM-SHA-256
> precisely). The DBA permits concrete methods like scram-sha-256 via HBA
> option. Absent that option, the system could default to a reasonable list.

The problem with that approach is that you would then eventually need
yet another place like pg_hba.conf to configure which SASL mechanisms to
use under which circumstances. pg_hba.conf is already that place for
the Legacy Authentication and Security Layer, so it could be that place
for SASL as well.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services