Re: PATCH: warn about, and deprecate, clear text passwords
От | Nathan Bossart |
---|---|
Тема | Re: PATCH: warn about, and deprecate, clear text passwords |
Дата | |
Msg-id | Z73jBpWlBEuvLjEj@nathan обсуждение исходный текст |
Ответ на | Re: PATCH: warn about, and deprecate, clear text passwords (Greg Sabino Mullane <htamfids@gmail.com>) |
Ответы |
Re: PATCH: warn about, and deprecate, clear text passwords
|
Список | pgsql-hackers |
On Mon, Feb 24, 2025 at 04:20:44PM -0500, Greg Sabino Mullane wrote: > On Mon, Feb 24, 2025 at 4:18 PM Nathan Bossart <nathandbossart@gmail.com> > wrote: >> Well, the discussion upthread suggests "disallowing plain text passwords >> completely" > > Yeah, that's more of a long-term dream than a real plan. It would certainly > be no sooner than Postgres v24 or so... I noticed a nearby thread [0] in which there appears to be some budding support for a GUC that disables sending passwords to the server in clear-text, at least for CREATE/ALTER ROLE. Perhaps we just add that for now. (I'm probably well over my quota for new GUCs in v18...) IMHO a WARNING would really only be appropriate if we are definitely going to remove support in the future, and that feels like a bit of a stretch to me due to the level of breakage it could cause. That being said, folks did seem on board enough with deprecating MD5 passwords for me to feel comfortable committing it, although that might not quite be an apples-to-apples comparison. In any case, we've long encouraged folks to avoid sending passwords to the server in clear-text, so I think it's reasonable to provide some way to enforce that server-side. [0] https://postgr.es/m/3136308.1740155121%40sss.pgh.pa.us -- nathan
В списке pgsql-hackers по дате отправления: