On Wed, Jun 06, 2018 at 11:53:06PM +0300, Heikki Linnakangas wrote:
> That would certainly be good. We've always had that problem, even with md5
> -> plaintext password downgrade, and it would be nice to fix it. It's quite
> late in the release cycle already, do you think we should address that now?
> I could go either way..
I would be inclined to treat that as new development as this is no new
problem. Still that's linked with what is discussed on this thread with
scram_channel_bindin_mode.
> What should the option look like? Perhaps something like:
>
> allowed_authentication_methods=md5,SCRAM-SHA-256,SCRAM-SHA-256-PLUS
That's actually a discussion I had with somebody after my talk at
PGCon, and I suggested a comma-separate list of authorized protocols as
well, except that those could just map to the hba entries, and that each
entry could just be lower-case :)
--
Michael