Re: WIP: SCRAM authentication
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Stephen Frost <sfrost@snowman.net>
Cc: Greg Stark <stark@mit.edu>, Robert Haas <robertmhaas@gmail.com>,
Josh Berkus <josh@agliodbs.com>, Peter Eisentraut <peter_e@gmx.net>,
Heikki Linnakangas <hlinnaka@iki.fi>,
Michael Paquier <michael.paquier@gmail.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-09-05T00:31:47Z
Lists: pgsql-hackers
On Fri, Sep 4, 2015 at 04:51:33PM -0400, Stephen Frost wrote: > > Coming in late, but can you explain how multiple passwords allow for > > easier automated credential rotation? If you have five applications > > with stored passwords, I imagine you can't change them all at once, so > > with multiples you could change it on one, then go to the others and > > change it there, and finally, remove the old password. Is that the > > process? I am not realizing that without multiple plasswords, this is a > > hard problem. > > That's exactly the process if multiple passwords can be used. If > there's only one account and one password supported then you have to > change all the systems all at once and that certainly can be a hard > problem. > > One way to deal with this is to have a bunch of different accounts, but > that's certainly not simple either and can get quite painful. OK, for me, if we can explain the benefit for users, it seems worth doing just to allow that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed