On 02/11/2015 02:31 PM, Magnus Hagander wrote:
At least, looks like it would be the most urgent (and with no need for clients breaking in the process, AFAICT)
Adding a new system column with a text or enum representing the algorithm that created the "hash" would go a lot towards fixing this situation.
When/If the column isn't there, just assume "md5". This would allow for transparent pg_upgrade.
Then, based on the "default_hash" (or something to the same effect) GUC, automatically rewrite the hashes (and set the corresponding 'hash_type') upon password change.
Please note that this allows for clients supporting it (be it natively or by relying on an external SASL lib or the like) to request some challenge-response mechanism ---such as SCRAM-SHA256--- when available. In fact, some forms of challenge-response-ready hashes also support "password" (plaintext) with the same authenticator, thereby perfectly replacing the functionality we have today.
Existing implementation: Dovecot's CRAM-MD5 mechanism
Thanks,
/ J.L.