On Wed, Apr 26, 2017 at 12:20 AM, Bruce Momjian <bruce@momjian.us> wrote:
> On Tue, Apr 25, 2017 at 02:39:40PM +0900, Michael Paquier wrote:
>> <para>
>> Add <link linkend="auth-pg-hba-conf"><literal>SCRAM-SHA-256</></>
>> support for password negotiation and storage (Michael
>> Paquier, Heikki Linnakangas)
>> </para>
>> <para>
>> This proves better security than the existing 'md5' negotiation and
>> storage method.
>> </para>
>> This is quite vague...
>
> Can you give me better text? I can't think of any.
Sure, here is an idea:
Add support for SASL authentication using protocol mechanism
SCRAM-SHA-256 per RFC 5802 and 7677. (adding a reference to the RFCs
with a link seems important to me).
SCRAM-SHA-256 improves deficiencies of MD5 password hashing by
preventing any kind of pass-the-hash vulnerabilities, where a user
would be able to connect to a PostgreSQL instance by just knowing the
hash of a password and not the password itself.
--
Michael
