From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: WIP: SCRAM authentication |
Date: | 2015-08-18 18:19:39 |
Message-ID: | CA+TgmobP92kt+1acn1pdY0Kx-9xcaAWdhqOmu2yq216T0-2dJA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Aug 18, 2015 at 2:07 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> I would expect there to be people who would run into pg_upgrade
> complaining, that's why there would be the check. That's actually a
> much better situation than what happened around
> standard_conforming_strings. Further, users would be able to continue
> with their existing version until they're ready to move or it goes out
> of support, by which time, if their connector isn't updated, they should
> be moving off of it also. We hear about people running 8.4 and older
> because of some application which was never maintained or updated, and
> that sucks, but it doesn't prevent us from making the changes we need to
> make to move the project forward for the users who properly manage their
> systems and use supported connectors.
Sorry, that's a completely bogus argument. We do not "need" to
prevent people from upgrading if they haven't moved off of MD5
authentication; that's just an arbitrary - and IMHO extremely
user-hostile - policy decision. We have a legitimate need, to move
the project forward, to introduce a better system for password
authentication. Ripping out the old one is not a real need. I'm sure
at some point it will seem like antiquated cruft that nobody uses any
more, but that will not be in "a year or two" or anything close to
that.
> SCRAM itself, as has been discussed, supports multiple password
> verifiers- that's a specific case all by itself, and it's done
> specifically to address the issue that one or another of the algorithms
> used is compromised, or that a new algorithm becomes available which is
> better. AD and Kerberos support multiple password verifiers because of
> this and that it allows you to migrate from one to the next without
> having to do wholesale replacment across all systems involved. I bring
> them up as examples of the advances in password-based authentication
> which we've missed and because they are what users expect from current
> password-based authentication systems, not because we support them and
> therefore should just push everyone to them.
OK, that's an interesting argument. If SCRAM supports multiple
password verifiers, and we support SCRAM, then I guess we should
probably do that, too. I still don't like it all that much, though.
I think it's absolutely inevitable that people are going to end up
with an account with 3 or more different passwords that can all be
used to log into it, and that won't be good. How do other systems
avoid this pitfall?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-08-18 18:23:02 | Re: missing documentation for partial WAL files |
Previous Message | Stephen Frost | 2015-08-18 18:07:30 | Re: WIP: SCRAM authentication |