Re: SCRAM authentication, take three
Craig Ringer <craig@2ndquadrant.com>
From: Craig Ringer <craig@2ndquadrant.com>
To: Michael Paquier <michael.paquier@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>, Magnus Hagander <magnus@hagander.net>, Noah Misch <noah@leadboat.com>, Aleksander Alekseev <a.alekseev@postgrespro.ru>,
Alvaro Herrera <alvherre@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-04-10T05:57:38Z
Lists: pgsql-hackers
On 10 April 2017 at 13:57, Craig Ringer <craig@2ndquadrant.com> wrote: > On 10 April 2017 at 12:34, Michael Paquier <michael.paquier@gmail.com> wrote: > >> Attached is a patch to hopefully make the discussion progress. I >> simply propose to use sasl as a keyword for pg_hba.conf, on the basis >> that SASL is the protocol used, and scram is a mechanism used to >> achieve the SASL exchange. We can always come up with a set of options >> and aliases later, I am actually open to have more fancy extra options >> in pg_hba.conf. > > I'd really like to see this approach proceed. > > pg_hba.conf isn't the most user-friendly thing in the world, and seems > to be one of the top sources of confusion for new users. Simple is > good here IMO. > > Let users specify 'scram' and negotiate. sasl, rather. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed