| From: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Tom Lane *EXTERN*" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: password_encryption, default and 'plain' support |
| Date: | 2017-05-05 07:38:38 |
| Message-ID: | A737B7A37273E048B164557ADEF4A58B53A348EA@ntex2010i.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>>> So, I propose that we remove support for password_encryption='plain' in
>>> PostgreSQL 10. If you try to do that, you'll get an error.
>> I have no idea how widely used that option is.
> Is it possible that there are still client libraries that don't support
> password encryption at all? If so, are we willing to break them?
> I'd say "yes" but it's worth thinking about.
We have one application that has been reduced to "password" authentication
ever since "crypt" authentication was removed, because they implemented the
line protocol rather than using libpq and never bothered to move to "md5".
But then, it might be a good idea to break this application, because that
would force the vendor to implement something that is not a
blatant security problem.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2017-05-05 07:49:57 | Re: [PROPOSAL] Use SnapshotAny in get_actual_variable_range |
| Previous Message | Amit Kapila | 2017-05-05 07:34:57 | Re: Change GetLastImportantRecPtr's definition? (wasSkip checkpoints, archiving on idle systems.) |