Re: md5 passwords and pg_shadow

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Neil Conway <nconway(at)klamath(dot)dyndns(dot)org>
Cc: pgman(at)candle(dot)pha(dot)pa(dot)us, pgsql-hackers(at)postgresql(dot)org
Subject: Re: md5 passwords and pg_shadow
Date: 2002-04-25 18:54:18
Message-ID: 4665.1019760858@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Neil Conway <nconway(at)klamath(dot)dyndns(dot)org> writes:
> How many pre-7.2 clients are actually out there? If 'crypt' authentication
> is deprecated in 7.2, is there any chance it will be removed in
> 7.3? If it is, it should be safe to switch to the scheme I mentioned
> in my previous email, which is both less complicated, and
> "secure-by-default".

I don't see any particular need to change the implementation; what we
have works and it's flexible. I do think we should change the default
password_encryption setting soon. IIRC, we agreed to default to FALSE
at a time when we didn't have md5 password support in the jdbc and odbc
drivers. We probably should have revisited the decision once we knew
that 7.2 would ship with md5 support in all client libraries --- but
we didn't think to.

It seems unlikely to me that FALSE will be the preferred setting for
very many 7.3 installations. There might be a few people out there
still using 7.1 clients with 7.3 servers, but a majority? No.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Marc G. Fournier 2002-04-25 19:01:21 Re: Vote totals for SET in aborted transaction
Previous Message Neil Conway 2002-04-25 18:33:46 Re: md5 passwords and pg_shadow