Home > mailing lists

Re: change password_encryption default to scram-sha-256? - Mailing list pgsql-hackers

From	Justin Pryzby
Subject	Re: change password_encryption default to scram-sha-256?
Date	April 8, 2019 22:49:12
Msg-id	20190408194912.GA23816@telsasoft.com Whole thread Raw
In response to	Re: change password_encryption default to scram-sha-256? (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: change password_encryption default to scram-sha-256? Re: change password_encryption default to scram-sha-256?
List	pgsql-hackers

Tree view

On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote:
>On Mon, Apr 08, 2019 at 10:41:07AM -0700, Andres Freund wrote:
>> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A
>> pretty large fraction of users use jdbc to access postgres. But it seems
>> to me that support has been merged for a while:
>> https://github.com/pgjdbc/pgjdbc/pull/1014
> 
> "Merged to upstream" is a whole lot different from "readily available in
> the field".  What's the actual status in common Linux distros, for
> example?

I found:

https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.1
Version 42.2.0 (2018-01-17)
Added
Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library. PR 842

I see that's in ubuntu, but not any LTS release:
https://packages.ubuntu.com/search?keywords=libpostgresql-jdbc-java

And in Debian testing, but no released version:
https://packages.debian.org/search?keywords=libpostgresql-jdbc-java

For centos6/7, OS packages would not have scram support:

$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch
9.2.1002-6.el7_5                                                                                           base
 
postgresql-jdbc.noarch
42.2.5-1.rhel7.1                                                                                           pgdg11
 

$ yum list --showdupl postgresql-jdbc
Available Packages
postgresql-jdbc.noarch
8.4.704-2.el6                                                                                              base
 
postgresql-jdbc.noarch
42.2.5-1.rhel6.1                                                                                           pgdg11
 

> The scenario that worries me here is somebody using a bleeding-edge PGDG
> server package in an environment where the rest of the Postgres ecosystem
> is much less bleeding-edge.

If someone installs a postgres RPM/DEB from postgresql.org, they could also
install postgresql-jdbc, right ?

I realize that doesn't mean that people will consistently know to and actually
do that.

If the default were changed, possibly the PGDG package could define something
like (I haven't done packaging in a long time):
Conflicts: postgresql-jdbc<42.2.0

On Mon, Apr 08, 2019 at 03:18:42PM -0400, Jonathan S. Katz wrote:
> Well, if it's RHEL7, it's PostgreSQL 9.2 so, unless they're using our
> RPM, that definitely does not have it :)

pgsql-hackers by date:

From: "Jonathan S. Katz"
Date: 08 April 2019, 22:18:42
Subject: Re: change password_encryption default to scram-sha-256?

From: Dave Cramer
Date: 08 April 2019, 22:56:02
Subject: Re: change password_encryption default to scram-sha-256?

Re: change password_encryption default to scram-sha-256? - Mailing list pgsql-hackers

Previous

Next