On 24/05/2019 16:01, Stephen Frost wrote:
> What I was really getting at though was the ability to have multiple
> authenticator tokens active concurrently (eg: md5 AND SCRAM), with an
> ability to use either one (idk, md5_or_scram auth method?), and then
> automatically set both on password change until everything is using
> SCRAM and then remove all MD5 stuff.
Umm, that's what "md5" already does. Per documentation
(https://www.postgresql.org/docs/current/auth-password.html):
> To ease transition from the md5 method to the newer SCRAM method, if
> md5 is specified as a method in pg_hba.conf but the user's password on
> the server is encrypted for SCRAM (see below), then SCRAM-based
> authentication will automatically be chosen instead.
The migration path is:
1. Use "md5" in pg_hba.conf, and put password_encryption='scram-sha-256'
in postgresql.conf.
2. Wait until all users have reset their passwords, so that all users
have a SCRAM-SHA-256 verifier.
3. Replace "md5" with "scram-sha-256" in pg_hba.conf.
Step 3 is kind of optional; once all users have a SCRAM verifier instead
of an MD5 hash, they will all use SCRAM even without changing
pg_hba.conf. It just prevents MD5 authentication in case a user forces a
new MD5 hash into the system e.g. by changing password_encryption, or by
setting an MD5 password explicitly with ALTER USER.
- Heikki