Re: scram and \password

On 03/17/2017 05:38 AM, Michael Paquier wrote:
> Regression tests are proving to be useful here (it would be nice to
> get those committed first!). I am noticing that this patch breaks
> connection for users with cleartext or md5-hashed verifier when
> "password" is used in pg_hba.conf.

Are you sure? It works for me.

Here's a slightly updated patch that includes required changes to the
test case (now that those have been committed), and some re-wording in
the docs, per Joe's suggestion. All the tests pass here.

> -# Most users use SCRAM authentication, but some users use older clients
> -# that don't support SCRAM authentication, and need to be able to log
> -# in using MD5 authentication. Such users are put in the @md5users
> -# group, everyone else must use SCRAM.
> +# Require SCRAM authentication for most users, but make an exception
> +# for user 'mike', who uses an older client that doesn't support SCRAM
> +# authentication.
> #
> # TYPE DATABASE USER ADDRESS METHOD
> -host all @md5users .example.com md5
> +host all mike .example.com md5
> Why not still using @md5users?

The old example didn't make much sense, now that md5 means "md5 or
scram". Could've still used @md5users, but I think this is more clear.
The old explanation was wrong or at least misleading anyway, because
@md5users doesn't refer to a group, but a flat file that lists roles.

- Heikki