| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: scram and \password |
| Date: | 2017-03-11 20:35:38 |
| Message-ID: | 82d23d50-ba5d-69c1-99c9-7f28d5504b2e@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03/10/2017 02:43 PM, Michael Paquier wrote:
> On Sat, Mar 11, 2017 at 2:53 AM, Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
>> Should the \password tool in psql inspect password_encryption and act on it
>> being 'scram'?
>
> Not sure if it is wise to change the default fot this release.
>
>> I didn't see this issue discussed, but the ability to search the archives
>> for backslashes is rather limited.
>
> I'll save you some time: it has not been discussed. Nor has
> PQencryptPassword been mentioned. Changing to SCRAM is not that
> complicated, just call scram_build_verifier() and you are good to go.
>
> Instead of changing the default, I think that we should take this
> occasion to rename PQencryptPassword to something like
> PQhashPassword(), and extend it with a method argument to support both
> md5 and scram. PQencryptPassword could also be marked as deprecated,
> or let as-is for some time. For \password, we could have another
> meta-command but that sounds grotty, or just extend \password with a
> --method argument. Switching the default could happen in another
> release.
>
> A patch among those lines would be a simple, do people feel that this
> should be part of PG 10?
Seems like it should work in an analogous way to CREATE/ALTER ROLE.
According to the docs:
8<----
ENCRYPTED
UNENCRYPTED
These key words control whether the password is stored encrypted in
the system catalogs. (If neither is specified, the default behavior is
determined by the configuration parameter password_encryption.) If the
presented password string is already in MD5-encrypted or SCRAM-encrypted
format, then it is stored encrypted as-is, regardless of whether
ENCRYPTED or UNENCRYPTED is specified (since the system cannot decrypt
the specified encrypted password string). This allows reloading of
encrypted passwords during dump/restore.
8<----
So if the password is not already set, \password uses
password_encryption to determine which format to use, and if the
password is already set, then the current method is assumed.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2017-03-11 20:37:00 | Re: [HACKERS] Small issue in online devel documentation build |
| Previous Message | Jim Nasby | 2017-03-11 20:28:00 | Re: Index usage for elem-contained-by-const-range clauses |