On 04/18/2017 11:15 AM, Simon Riggs wrote:
> As a potential open item, if we treat "md5" as ">= md5"
> should we not also treat "password" as ">=password"?
>
> It seems strange that we still support "password" and yet tell
> everyonenot to use it.
>
> I'd like PG10 to be the version where I don't have to tell people not
> to use certain things, hash indexes, "password" etc.
Between md5 and scram, the choice is easy, because a user can only have
an MD5 hashed or SCRAM "hashed" password in pg_authid. So you present
the client an MD5 challenge or a SCRAM challenge, depending on what the
user has in pg_authid, or you error out without even trying. But
"password" authentication can be used with any kind of a verifier in
pg_authid. "password" authentication can be useful, for example, if a
user has a SCRAM verifier in pg_authid, but the client doesn't support
SCRAM.
You could argue that you shouldn't use it even in that situation, you
should upgrade the client, or use SSL certs or an ssh tunnel or
something else instead. But that's a very different argument than the
one for treating "md5" as ">= md5".
Also note that LDAP and RADIUS authentication look identical to
"password" authentication, on the wire. The only difference is that
instead of checking the password against pg_authid, the server checks it
against an LDAP or RADIUS server.
- Heikki
