Re: WIP: SCRAM authentication
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Sehrope Sarkuni <sehrope@jackdb.com>, Josh Berkus <josh@agliodbs.com>,
Heikki Linnakangas <hlinnaka@iki.fi>, Robert Haas <robertmhaas@gmail.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-08-10T02:22:56Z
Lists: pgsql-hackers
On Mon, Aug 10, 2015 at 6:05 AM, Stephen Frost <sfrost@snowman.net> wrote: > * Sehrope Sarkuni (sehrope@jackdb.com) wrote: >> It'd be nice if the new auth mechanism supports multiple passwords in the >> same format as well (not just one per format). >> >> That way you could have two different passwords for a user that are active >> at the same time. This would simplify rolling database credentials as it >> wouldn't have to be done all at once. You could add the new credentials, >> update your app servers one by one, then disable the old ones. >> >> A lot of systems that use API keys let you see the last time a particular >> set of keys was used. This helps answer the "Is this going to break >> something if I disable it?" question. Having a last used at timestamp for >> each auth mechanism (per user) would be useful. > > Excellent points and +1 to all of these ideas from me. Interesting. I haven't thought of that and those are nice suggestions. I am not convinced that this is something to tackle with a first version of the patch though, I am sure we'll have enough problems to deal with to get out a nice base usable for future improvements as well. -- Michael
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed