Re: SCRAM authentication, take three

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>, Noah Misch <noah@leadboat.com>
Cc: Michael Paquier <michael.paquier@gmail.com>, Aleksander Alekseev <a.alekseev@postgrespro.ru>, Alvaro Herrera <alvherre@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>, magnus@hagander.net, robertmhaas@gmail.com
Date: 2017-04-11T01:52:21Z
Lists: pgsql-hackers
On 4/10/17 04:27, Heikki Linnakangas wrote:
> One thing to consider is that we just made the decision that "md5" 
> actually means "md5 or scram-sha-256". Extrapolating from that, I think 
> we'll want "scram-sha-256" to mean "scram-sha-256 or scram-sha-256-plus" 
> (i.e. the channel-bonding variant) in the future. And if we get support 
> for scram-sha-512, "scram-sha-256" would presumably allow that too.

But how would you choose between scram-sha-256-plus and scram-sha-512?

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Commits

  1. Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

  2. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).