Re: pg_authid.rolpassword format (was Re: Password identifiers, protocol aging and SCRAM protocol)
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Magnus Hagander <magnus@hagander.net>
Cc: Michael Paquier <michael.paquier@gmail.com>,
Robert Haas <robertmhaas@gmail.com>, Andres Freund <andres@anarazel.de>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
David Steele <david@pgmasters.net>, Tom Lane <tgl@sss.pgh.pa.us>,
David Fetter <david@fetter.org>, Alvaro Herrera <alvherre@2ndquadrant.com>,
Julian Markwort <julian.markwort@uni-muenster.de>,
Stephen Frost <sfrost@snowman.net>,
PostgreSQL mailing lists <pgsql-hackers@postgresql.org>,
Valery Popov <v.popov@postgrespro.ru>
Date: 2017-01-03T12:11:20Z
Lists: pgsql-hackers
On 12/14/2016 01:33 PM, Heikki Linnakangas wrote: > I just noticed that the manual for CREATE ROLE says: > >> Note that older clients might lack support for the MD5 authentication >> mechanism that is needed to work with passwords that are stored >> encrypted. > > That's is incorrect. The alternative to MD5 authentication is plain > 'password' authentication, and that works just fine with MD5-hashed > passwords. I think that sentence is a leftover from when we still > supported "crypt" authentication (so I actually get to blame you for > that ;-), commit 53a5026b). Back then, it was true that if an MD5 hash > was stored in pg_authid, you couldn't do "crypt" authentication. That > might have left old clients out in the cold. > > Now that we're getting SCRAM authentication, we'll need a similar notice > there again, for the incompatibility of a SCRAM verifier with MDD5 > authentication and vice versa. I went ahead and removed the current bogus notice from the docs. We might need to put back something like it, with the SCRAM patch, but it needs to be rewritten anyway. - Heikki
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed
-
Refactor SHA2 functions and move them to src/common/.
- 273c458a2b3a 10.0 landed
-
Replace isMD5() with a more future-proof way to check if pw is encrypted.
- dbd69118c05d 10.0 landed
-
Remove bogus notice that older clients might not work with MD5 passwords.
- 7e3ae5455948 9.2.20 landed
- 470af1f41c8b 9.3.16 landed
- ada2cdb61015 9.4.11 landed
- 65a7f190b253 9.5.6 landed
- 7546c135dc30 9.6.2 landed
- 31c54096a18f 10.0 landed
-
Refactor the code for verifying user's password.
- e7f051b8f9a6 10.0 landed
-
Replace PostmasterRandom() with a stronger source, second attempt.
- fe0a0b5993df 10.0 landed
-
Remove support for (insecure) crypt authentication.
- 53a5026b5cb3 8.4.0 cited