Re: scram and \password

On Tue, Apr 25, 2017 at 8:29 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > On Tue, Apr 25, 2017 at 11:26 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
> wrote:
> >> A) Have PQencryptPassword() return an md5 hash.
> >>
> >> B) Have PQencryptPassword() return a SCRAM verifier
> >>
> >> C) Have PQencryptPassword() return a SCRAM verifier if connected to a
> v10
> >> server, and an md5 hash otherwise. This is tricky, because
> PQencryptPassword
> >> doesn't take a PGconn argument. It could behave like PQescapeString()
> does,
> >> and choose md5/scram depending on the server version of the last
> connection
> >> that was established.
>
> > I vote for A - leave PQencryptPassword() as-is, and deprecate it.
> > Tell people to use the new function going forward.
>
> +1. I never much liked that magic behavior of PQescapeString, and don't
> think we should replicate it elsewhere, so I definitely don't like (C).
> And I don't think we can do (B) because that will break the functionality
> altogether when talking to an older server. That leaves (A) plus invent
> a new function.
>

+1.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>