Home > mailing lists

Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange
Date	April 14, 2017 15:26:44
Msg-id	CAB7nPqTAwqW7ktSZA6njEKVbhLFHU8ZVjqu4GNcv+OHCpj4yHQ@mail.gmail.com Whole thread Raw
In response to	Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange (Craig Ringer <craig.ringer@2ndquadrant.com>)
List	pgsql-hackers

Tree view

On Fri, Apr 14, 2017 at 8:28 PM, Craig Ringer
<craig.ringer@2ndquadrant.com> wrote:
> There's no point advertising scram-512 if only -256 can work for 'bob'
> because that's what we have in pg_authid.

The possibility to have multiple verifiers has other benefits than
that, password rolling being one. We may want to revisit that once
there is a need to have a pg_auth_verifiers, my intuition on the
matter is that we are years away from it, but we'll very likely need
it for more reasons than the one you are raising here.

> Yes, filtering the advertised mechs exposes info. But not being able to log
> in if you're the legitimate user without configuring the client with your
> password hash format would suck too.

Yup.
-- 
Michael

pgsql-hackers by date:

From: Stephen Frost
Date: 14 April 2017, 15:24:18
Subject: Re: [HACKERS] Rewriting the test of pg_upgrade as a TAP test

From: Michael Paquier
Date: 14 April 2017, 15:30:04
Subject: Re: [HACKERS] Logical replication launcher uses wal_retrieve_retry_interval

Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange - Mailing list pgsql-hackers

Previous

Next