On 12/14/22 6:52 PM, Michael Paquier wrote:
> On Wed, Dec 14, 2022 at 01:59:04PM -0500, Jonathan S. Katz wrote:
HA-256 that we will just need to pick up?
>
>>> The attached v2 has the GUC rename and a change to GUC_REPORT such that the
>>> frontend can use the real value rather than the default. I kept it for super
>>> users so far, do you think it should be a user setting being somewhat sensitive?
>>
>> No, because a user can set the number of iterations today if they build
>> their own SCRAM secret. I think it's OK if they change it in a session.
>>
>> If a superuser wants to enforce a minimum iteration count, they can write a
>> password_check_hook. (Or we could add another GUC to enforce that).
>
> Hm? check_password_hook does not allow one to recompile the password
> given by the user, except if I am missing your point?
My point is you can write a hook to reject the password if the iteration
count is "too low". Not to re-hash the password.
Thanks,
Jonathan
