Re: password_encryption, default and 'plain' support
Albe Laurenz <laurenz.albe@wien.gv.at>
From: Albe Laurenz <laurenz.albe@wien.gv.at>
To: "Tom Lane *EXTERN*" <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-05-05T07:38:38Z
Lists: pgsql-hackers
Tom Lane wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >>> So, I propose that we remove support for password_encryption='plain' in >>> PostgreSQL 10. If you try to do that, you'll get an error. >> I have no idea how widely used that option is. > Is it possible that there are still client libraries that don't support > password encryption at all? If so, are we willing to break them? > I'd say "yes" but it's worth thinking about. We have one application that has been reduced to "password" authentication ever since "crypt" authentication was removed, because they implemented the line protocol rather than using libpq and never bothered to move to "md5". But then, it might be a good idea to break this application, because that would force the vendor to implement something that is not a blatant security problem. Yours, Laurenz Albe
Commits
-
Remove support for password_encryption='off' / 'plain'.
- eb61136dc75a 10.0 landed