Re: [HACKERS] password_encryption, default and 'plain' support

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: [HACKERS] password_encryption, default and 'plain' support
Дата
Msg-id CABUevEx0p=L9vWzEA54df5zY6C1XHqsnc12ghH=gG2sozJLSFQ@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [HACKERS] password_encryption, default and 'plain' support  (Albe Laurenz <laurenz.albe@wien.gv.at>)
Список pgsql-hackers
Дерево обсуждения


On Fri, May 5, 2017 at 9:38 AM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> On Wed, May 3, 2017 at 7:31 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>>> So, I propose that we remove support for password_encryption='plain' in
>>> PostgreSQL 10. If you try to do that, you'll get an error.

>> I have no idea how widely used that option is.

> Is it possible that there are still client libraries that don't support
> password encryption at all?  If so, are we willing to break them?
> I'd say "yes" but it's worth thinking about.

We have one application that has been reduced to "password" authentication
ever since "crypt" authentication was removed, because they implemented the
line protocol rather than using libpq and never bothered to move to "md5".

But then, it might be a good idea to break this application, because that
would force the vendor to implement something that is not a
blatant security problem.

It might. But I'm pretty sure the suggestion does not include removing the "password" authentication type, that one will still exist. This is just about password *storage*. 


--

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Dmitriy Sarafannikov
Дата:
Сообщение: Re: [HACKERS] [PROPOSAL] Use SnapshotAny in get_actual_variable_range
Следующее
От: Aleksander Alekseev
Дата:
Сообщение: Re: [HACKERS] Error message on missing SCRAM authentication witholder clients