| From: | Jesper Pedersen <jesper(dot)pedersen(at)comcast(dot)net> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Bruce Momjian <bruce(at)momjian(dot)us>, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
| Cc: | Nathan Bossart <nathandbossart(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: sunsetting md5 password support |
| Date: | 2024-10-10 22:00:20 |
| Message-ID: | 615f519f-b36f-4e8c-8e4c-df9789575001@comcast.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 10/10/24 5:45 PM, Heikki Linnakangas wrote:
> On 11/10/2024 00:03, Bruce Momjian wrote:
>> On Wed, Oct 9, 2024 at 10:30:15PM +0200, Jelte Fennema-Nio wrote:
>>> On Wed, 9 Oct 2024 at 21:55, Nathan Bossart
>>> <nathandbossart(at)gmail(dot)com> wrote:
>>>> In this message, I propose a multi-year, incremental approach to
>>>> remove MD5
>>>> password support from Postgres.
>>>
>>> +many for the general idea
>>>
>>> I think it makes sense to also remove the "password" authentication
>>> option while we're at it (this can currently be used with SCRAM stored
>>> passwords).
>>
>> I remember "password" as being recommended for SSL connections where
>> there is no risk of the password contents being seen.
>
> I wouldn't recommend it if SCRAM is available, but yeah, with TLS and
> sslmode=verify-full, it's secure enough.
>
> Note that some authentication methods like LDAP and Radius use
> "password" authentication on the wire.
>
Please, deprecate - aka remove - old methods.
All client libraries have caught up, and if they havn't then it their
issue not Core.
+1.
Best regards,
Jesper
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mikael Sand | 2024-10-10 22:09:33 | Re: Build issue with postgresql 17 undefined reference to `pg_encoding_to_char' and `pg_char_to_encoding' |
| Previous Message | Jelte Fennema-Nio | 2024-10-10 21:59:10 | Re: sunsetting md5 password support |