Re: Password identifiers, protocol aging and SCRAM protocol

David Steele <david@pgmasters.net>

From: David Steele <david@pgmasters.net>
To: Heikki Linnakangas <hlinnaka@iki.fi>, Michael Paquier <michael.paquier@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, David Fetter <david@fetter.org>, Alvaro Herrera <alvherre@2ndquadrant.com>, Magnus Hagander <magnus@hagander.net>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Julian Markwort <julian.markwort@uni-muenster.de>, Stephen Frost <sfrost@snowman.net>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Valery Popov <v.popov@postgrespro.ru>
Date: 2016-09-28T13:34:47Z
Lists: pgsql-hackers
On 9/28/16 5:25 AM, Heikki Linnakangas wrote:
> 
> Once we get the main SCRAM patch in, we may want to remove the "on"
> alias altogether. We don't promise backwards-compatibility of config
> files or GUC values, and not many people set password_encryption=on
> explicitly anyway, since it's the default.

+1.

-- 
-David
david@pgmasters.net


Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

  2. Refactor SHA2 functions and move them to src/common/.

  3. Replace isMD5() with a more future-proof way to check if pw is encrypted.

  4. Remove bogus notice that older clients might not work with MD5 passwords.

  5. Refactor the code for verifying user's password.

  6. Replace PostmasterRandom() with a stronger source, second attempt.

  7. Remove support for (insecure) crypt authentication.