On Mon, Mar 13, 2017 at 04:48:21PM +0800, Craig Ringer wrote:
> On 12 March 2017 at 06:51, Joe Conway <mail@joeconway.com> wrote:
>
> > My opinion is that the user visible aspects of this should be deprecated
> > and correct syntax provided. But perhaps that is overkill.
>
> FWIW, in my experience, pretty much nobody understands the pretty
> tangled behaviour of "WITH [ENCRYPTED] PASSWORD", you have to
> understand the fact table of:
>
> * ENCRYPTED, UNENCRYPTED or neither set
> * password_encryption GUC on or off
> * password begins / doesn't begin with fixed string 'md5'
>
> to fully know what will happen.
>
> Then of course, you have to understand how all this interacts with
> pg_hba.conf's 'password' and 'md5' options.
>
> It's a right mess. Since our catalogs don't keep track of the hash
> separately to the password text and use prefixes instead, and since we
> need compatibility for dumps, it's hard to do a great deal about
> though.
With SCRAM coming in PG 10, is there anything we can do to clean this up
for PG 10?
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +