Re: WIP: SCRAM authentication
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Michael Paquier <michael.paquier@gmail.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-08-08T13:27:04Z
Lists: pgsql-hackers
On Fri, Aug 7, 2015 at 6:54 PM, Michael Paquier <michael.paquier@gmail.com> wrote: > This filtering machinery definitely looks like a GUC to me, something > like password_forbidden_encryption that PASSWORD VERIFIERS looks at > and discards the methods listed in there. This definitely needs to be > separated from password_encryption. I don't know what a "password verifier" is and I bet nobody else does either. Well, I think I sort of know: I think it's basically an encrypted password. Am I right? Even if I am, I bet the average user is going to scratch their head and punt. I don't see that there's any good reason to allow the same password to be stored in the catalog encrypted more than one way, and I don't think there's any good reason to introduce the PASSWORD VERIFIER terminology. I think we should store (1) your password, either encrypted or unencrypted; and (2) the method used to encrypt it. And that's it. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed