Re: WIP: SCRAM authentication

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Stephen Frost <sfrost@snowman.net>
Cc: Greg Stark <stark@mit.edu>, Robert Haas <robertmhaas@gmail.com>, Josh Berkus <josh@agliodbs.com>, Peter Eisentraut <peter_e@gmx.net>, Heikki Linnakangas <hlinnaka@iki.fi>, Michael Paquier <michael.paquier@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-09-05T00:31:47Z
Lists: pgsql-hackers
On Fri, Sep  4, 2015 at 04:51:33PM -0400, Stephen Frost wrote:
> > Coming in late, but can you explain how multiple passwords allow for
> > easier automated credential rotation?  If you have five applications
> > with stored passwords, I imagine you can't change them all at once, so
> > with multiples you could change it on one, then go to the others and
> > change it there, and finally, remove the old password.  Is that the
> > process?  I am not realizing that without multiple plasswords, this is a
> > hard problem.
> 
> That's exactly the process if multiple passwords can be used.  If
> there's only one account and one password supported then you have to
> change all the systems all at once and that certainly can be a hard
> problem.
> 
> One way to deal with this is to have a bunch of different accounts, but
> that's certainly not simple either and can get quite painful.

OK, for me, if we can explain the benefit for users, it seems worth
doing just to allow that.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +


Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).