Re: PATCH: warn about, and deprecate, clear text passwords
| От | Greg Sabino Mullane |
|---|---|
| Тема | Re: PATCH: warn about, and deprecate, clear text passwords |
| Дата | |
| Msg-id | CAKAnmmJWEijijbZ1Zg+gpr88VZdZ=DNz76=zr3eJoL+J5502wg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: PATCH: warn about, and deprecate, clear text passwords (Nathan Bossart <nathandbossart@gmail.com>) |
| Ответы |
Re: PATCH: warn about, and deprecate, clear text passwords
|
| Список | pgsql-hackers |
On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart <nathandbossart@gmail.com> wrote:
I think it would be good to hear some other opinions on whether we should consider sending clear-text passwords to the server as either 1) fully supported, 2) deprecated but with no intent to remove anytime soon, or 3) deprecated with the intent of removal at some point in the next several years. I personally am -1 on the warning unless we have a consensus on (3), but I'm +1 on adding a way to enforce "pre-encryption" regardless.
That's more than fair. And "deprecation" doesn't need to mean that's the next step in the process. So warn -> deny by default (but allow if you work at it) -> remove completely. Which is very similar to our md5 path, I suppose. I'm certainly happy staying at that middle stage for an indefinite amount of time for both of those, as it means that Postgres is both "secure by default" but backwards compatible.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
В списке pgsql-hackers по дате отправления: