Re: Stephen Frost
> > Why do I have to decide *in pg_hba.conf* which hash algorithm is used?
>
> Where else would you decide..?
Connections could just use whatever hash is used for the username in
pg_authid. There's no reason to expose that detail in pg_hba.conf.
> > Why can't that just be "password"?
>
> What would that mean?
The above.
> > Getting this mess fixed would be good for security because then people
> > will likely start using scram.
>
> That's certainly true, though I hope we can convince people to use SCRAM
> even given the modest effort required.
It's not modest. Or else this thread wouldn't have 20 mails.
> The point here though, really, is that *new* installations of PG have
> very little reason to not use SCRAM. The question on upgrades is
> different, but that can be addressed with pg_upgradecluster, I would
> think, without much trouble.
In pg_createcluster, if I move pg_hba.conf and password_encryption to
scram, and I restore a dump from an older PG major, can people
continue to connect using their passwords? From what I got above, the
answer is "no".
Should I only set password_encryption to scram and keep advertising
md5 as the sane default for pg_hba.conf?
Christoph