On Fri, 15 Jun 2001, Bruce Momjian wrote:
> > > Migrating old sites to encrypted pg_shadow passwords should be easy if a
> > > trigger on pg_shadow will look for unencrypted INSERTs and encrypt them.
> >
> > If encrypting pg_shadow will break the old-style crypt method, then I
> > think forcing a conversion via a trigger is unacceptable. It will have
> > to be a DBA choice (at configure time, or possibly initdb?) whether to
> > use encryption or not in pg_shadow; accordingly, either crypt or "new
> > crypt" auth method will be supported by the server, not both. But
> > client libraries could be built to support both auth methods.
>
> I hate to add initdb options because it may be confusing. I wonder if
> we should have a script that encrypts the pg_shadow entries that can be
> run when the administrator knows that there are no old clients left
> around. That way it can be run _after_ initdb.
Which clients actually read pg_shadow? I always thought that only the
postmaster read it.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 56K Nationwide Dialup from $16.00/mo
atPop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore
http://www.cloudninegifts.com
==========================================================================
