Re: Password identifiers, protocol aging and SCRAM protocol

Поиск
Список
Период
Сортировка
От Michael Paquier
Тема Re: Password identifiers, protocol aging and SCRAM protocol
Дата
Msg-id CAB7nPqTpmnT0LKcoO3d5A-SQtvjutgYJO5kpP0j3h_8PTEFMfw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Password identifiers, protocol aging and SCRAM protocol  (David Steele <david@pgmasters.net>)
Список pgsql-hackers
Дерево обсуждения 
On Mon, Sep 26, 2016 at 9:22 PM, David Steele <david@pgmasters.net> wrote:
> On 9/26/16 4:54 AM, Heikki Linnakangas wrote:
>> Hmm. The server could send a SCRAM challenge first, and if the client
>> gives an incorrect response, or the username doesn't exist, or the
>> user's password is actually MD5-encrypted, the server could then send an
>> MD5 challenge. It would add one round-trip to the authentication of MD5
>> passwords, but that seems acceptable.

I don't think that this applies just to md5 or scram. Could we for
example use a connection parameter, like expected_auth_methods to do
that? We include that in the startup packet if the caller has defined
it, then the backend checks for matching entries in pg_hba.conf using
the username, database and the expected auth method if specified.
-- 
Michael

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Peter Eisentraut
Дата:
Сообщение: Re: pg_basebackup, pg_receivexlog and data durability (was: silent data loss with ext4 / all current versions)
Следующее
От: Michael Paquier
Дата:
Сообщение: Re: pg_basebackup, pg_receivexlog and data durability (was: silent data loss with ext4 / all current versions)