Re: password_encryption default

On Wed, Jun 10, 2020 at 10:51:22AM -0400, Jonathan S. Katz wrote: > On 6/10/20 10:47 AM, Peter Eisentraut wrote: >> committed > > Yay!!! Thank you! Thanks, all. -- Michael signature.asc Description: PGP signature

Re: password_encryption default

On 6/10/20 10:47 AM, Peter Eisentraut wrote: > On 2020-05-28 15:28, Jonathan S. Katz wrote: >> On 5/28/20 8:10 AM, Peter Eisentraut wrote: >>> On 2020-05-27 15:25, Jonathan S. Katz wrote: $ initdb -D data --auth-local=scram-sha-256 --auth-host=md5 Got an error message: "ini

Re: password_encryption default

On 2020-05-28 15:28, Jonathan S. Katz wrote: On 5/28/20 8:10 AM, Peter Eisentraut wrote: On 2020-05-27 15:25, Jonathan S. Katz wrote: $ initdb -D data --auth-local=scram-sha-256 --auth-host=md5 Got an error message: "initdb: error: must specify a password for the superuser to enable md5 authe

Re: password_encryption default

Stephen Frost writes: > * Jonathan S. Katz (jk...@postgresql.org) wrote: >> By that logic, I would +1 removing ENCRYPTED & UNENCRYPTED, given >> ENCRYPTED effectively has no meaning either after all this time too. >> Perhaps a stepping stone is to emit a deprecation warning on PG14 and >> remove i

Re: password_encryption default

On 5/29/20 9:22 AM, Stephen Frost wrote: > Greetings, > > * Jonathan S. Katz (jk...@postgresql.org) wrote: >> On 5/29/20 3:33 AM, Michael Paquier wrote: >>> On Thu, May 28, 2020 at 02:53:17PM +0200, Peter Eisentraut wrote: More along these lines: We could also remove the ENCRYPTED and UNENCRY

Re: password_encryption default

Greetings, * Jonathan S. Katz (jk...@postgresql.org) wrote: > On 5/29/20 3:33 AM, Michael Paquier wrote: > > On Thu, May 28, 2020 at 02:53:17PM +0200, Peter Eisentraut wrote: > >> More along these lines: We could also remove the ENCRYPTED and UNENCRYPTED > >> keywords from CREATE and ALTER ROLE.

Re: password_encryption default

Greetings, * Michael Paquier (mich...@paquier.xyz) wrote: > On Thu, May 28, 2020 at 02:53:17PM +0200, Peter Eisentraut wrote: > > More along these lines: We could also remove the ENCRYPTED and UNENCRYPTED > > keywords from CREATE and ALTER ROLE. AFAICT, these have never been emitted > > by pg_dum

Re: password_encryption default

On 5/29/20 3:33 AM, Michael Paquier wrote: > On Thu, May 28, 2020 at 02:53:17PM +0200, Peter Eisentraut wrote: >> More along these lines: We could also remove the ENCRYPTED and UNENCRYPTED >> keywords from CREATE and ALTER ROLE. AFAICT, these have never been emitted >> by pg_dump or psql, so there

Re: password_encryption default

On Thu, May 28, 2020 at 02:53:17PM +0200, Peter Eisentraut wrote: > More along these lines: We could also remove the ENCRYPTED and UNENCRYPTED > keywords from CREATE and ALTER ROLE. AFAICT, these have never been emitted > by pg_dump or psql, so there are no concerns from that end. Thoughts? +0.5

Re: password_encryption default

On Thu, May 28, 2020 at 10:01 AM Stephen Frost wrote: > as if we don't know what columns are Amen to that! -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company

Re: password_encryption default

Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > On Thu, May 28, 2020 at 8:53 AM Peter Eisentraut > wrote: > > More along these lines: We could also remove the ENCRYPTED and > > UNENCRYPTED keywords from CREATE and ALTER ROLE. AFAICT, these have > > never been emitted by pg_dump or psql

Re: password_encryption default

On Thu, May 28, 2020 at 8:53 AM Peter Eisentraut wrote: > More along these lines: We could also remove the ENCRYPTED and > UNENCRYPTED keywords from CREATE and ALTER ROLE. AFAICT, these have > never been emitted by pg_dump or psql, so there are no concerns from > that end. Thoughts? I have a qu

Re: password_encryption default

On 5/28/20 8:10 AM, Peter Eisentraut wrote: > On 2020-05-27 15:25, Jonathan S. Katz wrote: >> $ initdb -D data --auth-local=scram-sha-256 --auth-host=md5 >> >> Got an error message: >> >> "initdb: error: must specify a password for the superuser to enable md5 >> authentication" >> >> For the last t

Re: password_encryption default

On 2020-05-27 15:59, Stephen Frost wrote: Agreed- let's remove the legacy options. As I've mentioned elsewhere, distros may manage the issue for us, and if we want to get into it, we could consider adding support to pg_upgrade to complain if it comes across a legacy setting that isn't valid. I'

Re: password_encryption default

On 2020-05-27 15:25, Jonathan S. Katz wrote: $ initdb -D data --auth-local=scram-sha-256 --auth-host=md5 Got an error message: "initdb: error: must specify a password for the superuser to enable md5 authentication" For the last two, that behavior is to be expected (after all, you've set the tw

Re: password_encryption default

Greetings, * Jonathan S. Katz (jk...@postgresql.org) wrote: > On 5/27/20 9:13 AM, Michael Paquier wrote: > > On Wed, May 27, 2020 at 02:56:34PM +0200, Magnus Hagander wrote: > >> Seems like the better choice yeah. Since we're changing the default anyway, > >> maybe now is the time to do that? Or i

Re: password_encryption default

On 5/27/20 9:13 AM, Michael Paquier wrote: > On Wed, May 27, 2020 at 02:56:34PM +0200, Magnus Hagander wrote: >> Seems like the better choice yeah. Since we're changing the default anyway, >> maybe now is the time to do that? Or if not, maybe have it log an explicit >> deprecation warning when it l

Re: password_encryption default

On 5/26/20 4:25 AM, Peter Eisentraut wrote: > On 2020-05-25 17:57, Jonathan S. Katz wrote: >> I took a look over, it looks good. One question on the initdb.c diff: >> >> -    if (strcmp(authmethodlocal, "scram-sha-256") == 0 || >> -    strcmp(authmethodhost, "scram-sha-256") == 0) >> -    { >>

Re: password_encryption default

On Wed, May 27, 2020 at 02:56:34PM +0200, Magnus Hagander wrote: > Seems like the better choice yeah. Since we're changing the default anyway, > maybe now is the time to do that? Or if not, maybe have it log an explicit > deprecation warning when it loads a config with it? Not sure that's worth it

Re: password_encryption default

On Wed, May 27, 2020 at 8:29 AM Peter Eisentraut < peter.eisentr...@2ndquadrant.com> wrote: > On 2020-05-27 08:00, Michael Paquier wrote: > > On Tue, May 26, 2020 at 10:25:25AM +0200, Peter Eisentraut wrote: > >> Yeah, I was too enthusiastic about removing that. Here is a better > patch. > > > >

Re: password_encryption default

On 2020-05-27 08:00, Michael Paquier wrote: On Tue, May 26, 2020 at 10:25:25AM +0200, Peter Eisentraut wrote: Yeah, I was too enthusiastic about removing that. Here is a better patch. +as an MD5 hash. (on is also accepted, as an alias +for md5.) The default is +scram

Re: password_encryption default

On Tue, May 26, 2020 at 10:25:25AM +0200, Peter Eisentraut wrote: > Yeah, I was too enthusiastic about removing that. Here is a better patch. +as an MD5 hash. (on is also accepted, as an alias +for md5.) The default is +scram-sha-256. Shouldn't password_encryption = on/t

Re: password_encryption default

On 2020-05-25 17:57, Jonathan S. Katz wrote: I took a look over, it looks good. One question on the initdb.c diff: - if (strcmp(authmethodlocal, "scram-sha-256") == 0 || - strcmp(authmethodhost, "scram-sha-256") == 0) - { - conflines = replace_token(confli

Re: password_encryption default

On 5/25/20 5:45 AM, Peter Eisentraut wrote: > On 2020-05-22 23:23, Jonathan S. Katz wrote: >>> Yeah.  But there's still something to Jonathan's argument, because 9.6 >>> will go EOL in November 2021, which is pretty close to when v14 will >>> reach public release (assuming we can hold to the typica

Re: password_encryption default

On 2020-05-22 23:23, Jonathan S. Katz wrote: Yeah. But there's still something to Jonathan's argument, because 9.6 will go EOL in November 2021, which is pretty close to when v14 will reach public release (assuming we can hold to the typical schedule). If we do it in v13, there'll be a full year

Re: password_encryption default

On 5/22/20 5:21 PM, Tom Lane wrote: > Vik Fearing writes: >> On 5/22/20 9:09 PM, Jonathan S. Katz wrote: >>> As someone who is an unabashed SCRAM fan and was hoping the default >>> would be up'd for v13, I would actually +1 making it the default in v14, >>> i.e. because 9.5 will be EOL at that poi

Re: password_encryption default

Vik Fearing writes: > On 5/22/20 9:09 PM, Jonathan S. Katz wrote: >> As someone who is an unabashed SCRAM fan and was hoping the default >> would be up'd for v13, I would actually +1 making it the default in v14, >> i.e. because 9.5 will be EOL at that point, and as such we both have >> every* dri

Re: password_encryption default

On 5/22/20 9:09 PM, Jonathan S. Katz wrote: > As someone who is an unabashed SCRAM fan and was hoping the default > would be up'd for v13, I would actually +1 making it the default in v14, > i.e. because 9.5 will be EOL at that point, and as such we both have > every* driver supporting SCRAM AND ev

Re: password_encryption default

On 5/22/20 11:34 AM, Tom Lane wrote: > Stephen Frost writes: >> * Tom Lane (t...@sss.pgh.pa.us) wrote: >>> As far as that last goes, we *did* get the buildfarm fixed to be all >>> v11 scripts, so I thought we were ready to move forward on trying >>> 09f08930f again. It's too late to consider that

Re: password_encryption default

Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Tom Lane (t...@sss.pgh.pa.us) wrote: > >> I'm +1 for changing both of these things as soon as we branch for v14, > >> but I feel like it's a bit late for v13. If we aren't feature-frozen > >> now, when will we be? >

Re: password_encryption default

Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> I'm +1 for changing both of these things as soon as we branch for v14, >> but I feel like it's a bit late for v13. If we aren't feature-frozen >> now, when will we be? > I really don't consider changing of defaults to be on the sa

Re: password_encryption default

Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Tom Lane (t...@sss.pgh.pa.us) wrote: > >> As far as that last goes, we *did* get the buildfarm fixed to be all > >> v11 scripts, so I thought we were ready to move forward on trying > >> 09f08930f again. It's too lat

Re: password_encryption default

Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> As far as that last goes, we *did* get the buildfarm fixed to be all >> v11 scripts, so I thought we were ready to move forward on trying >> 09f08930f again. It's too late to consider that for v13, but >> perhaps it'd be reasonable

Re: password_encryption default

Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Magnus Hagander (mag...@hagander.net) wrote: > >> On Fri, May 22, 2020 at 4:13 PM Tom Lane wrote: > >>> Peter Eisentraut writes: > We didn't get anywhere with making the default authentication method in >

Re: password_encryption default

Stephen Frost writes: > * Magnus Hagander (mag...@hagander.net) wrote: >> On Fri, May 22, 2020 at 4:13 PM Tom Lane wrote: >>> Peter Eisentraut writes: We didn't get anywhere with making the default authentication method in a source build anything other than trust. > I'm +1 on moving t

Re: password_encryption default

Greetings, * Magnus Hagander (mag...@hagander.net) wrote: > On Fri, May 22, 2020 at 4:13 PM Tom Lane wrote: > > Peter Eisentraut writes: > > > We didn't get anywhere with making the default authentication method in > > > a source build anything other than trust. But perhaps we should change > >

Re: password_encryption default

On Fri, May 22, 2020 at 4:13 PM Tom Lane wrote: > Peter Eisentraut writes: > > We didn't get anywhere with making the default authentication method in > > a source build anything other than trust. But perhaps we should change > > the default for password_encryption to nudge people to adopt SCRA

Re: password_encryption default

Peter Eisentraut writes: > We didn't get anywhere with making the default authentication method in > a source build anything other than trust. But perhaps we should change > the default for password_encryption to nudge people to adopt SCRAM? > Right now, passwords are still hashed using MD5 by

password_encryption default

We didn't get anywhere with making the default authentication method in a source build anything other than trust. But perhaps we should change the default for password_encryption to nudge people to adopt SCRAM? Right now, passwords are still hashed using MD5 by default, unless you specify scra

Re: change password_encryption default to scram-sha-256?

On 4/8/19 6:10 PM, Jonathan S. Katz wrote: > On 4/8/19 4:20 PM, Alvaro Herrera wrote: >> On 2019-Apr-08, Jonathan S. Katz wrote: >> >>> On 4/8/19 4:10 PM, Alvaro Herrera wrote: >> I wonder why we have two pages https://wiki.postgresql.org/wiki/Client_Libraries https://wiki.postgresql

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 10:08:07AM -0400, Tom Lane wrote: > "Jonathan S. Katz" writes: > > On 4/8/19 8:49 AM, Magnus Hagander wrote: > >> I think the real question is, is it OK to give them basically 5months > >> warning, by right now saying if you don't have a release out in 6 > >> months, things

Re: change password_encryption default to scram-sha-256?

>> I am not sure all third party programs concerning scram-sha-256 are >> listed on this. There are some programs that talk to PostgreSQL using >> frontend/backend protocol, but not based on libpq or other native >> drivers (for example Pgpool-II). I guess PgBouncer is in the same >> category too.

Re: change password_encryption default to scram-sha-256?

Em seg, 8 de abr de 2019 às 19:43, Tatsuo Ishii escreveu: > > I am not sure all third party programs concerning scram-sha-256 are > listed on this. There are some programs that talk to PostgreSQL using > frontend/backend protocol, but not based on libpq or other native > drivers (for example Pgpoo

Re: change password_encryption default to scram-sha-256?

> On Sun, Apr 07, 2019 at 12:59:05PM -0400, Tom Lane wrote: >> Peter Eisentraut writes: >> > Should we change the default of the password_encryption setting to >> > 'scram-sha-256' in PG12? >> >> I thought we were going to wait a bit longer --- that just got added >> last year, no? What do we kn

Re: change password_encryption default to scram-sha-256?

On 4/8/19 4:20 PM, Alvaro Herrera wrote: > On 2019-Apr-08, Jonathan S. Katz wrote: > >> On 4/8/19 4:10 PM, Alvaro Herrera wrote: > >>> I wonder why we have two pages >>> https://wiki.postgresql.org/wiki/Client_Libraries >>> https://wiki.postgresql.org/wiki/List_of_drivers >> >> No clue, but it ap

Re: change password_encryption default to scram-sha-256?

Dave Cramer writes: > That said 42.2.0 was released in January 2018, so by PG13 it's going to be > 4 years old. Huh? 13 should come out in the fall of 2020. regards, tom lane

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 16:38, Tom Lane wrote: > Dave Cramer writes: > >> If someone installs a postgres RPM/DEB from postgresql.org, they could > >> also install postgresql-jdbc, right ? > > > I would guess there might be some distro specific java apps that might > > actually use what is on the m

Re: change password_encryption default to scram-sha-256?

Dave Cramer writes: >> If someone installs a postgres RPM/DEB from postgresql.org, they could >> also install postgresql-jdbc, right ? > I would guess there might be some distro specific java apps that might > actually use what is on the machine but as mentioned any reasonably complex > Java app

Re: change password_encryption default to scram-sha-256?

> > > > > The scenario that worries me here is somebody using a bleeding-edge PGDG > > server package in an environment where the rest of the Postgres ecosystem > > is much less bleeding-edge. > > If someone installs a postgres RPM/DEB from postgresql.org, they could > also > install postgresql-jdb

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Tom Lane wrote: > I'm particularly concerned about the idea that they won't see a problem > during initial testing, only to have things fall over after they enter > production and do a "routine" password change. This is a fair objection. -- Álvaro Herrerahttps://

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Jonathan S. Katz wrote: > On 4/8/19 4:10 PM, Alvaro Herrera wrote: > > I wonder why we have two pages > > https://wiki.postgresql.org/wiki/Client_Libraries > > https://wiki.postgresql.org/wiki/List_of_drivers > > No clue, but it appears that first one is the newer of the two[1][2

Re: change password_encryption default to scram-sha-256?

Justin Pryzby writes: > On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote: >> The scenario that worries me here is somebody using a bleeding-edge PGDG >> server package in an environment where the rest of the Postgres ecosystem >> is much less bleeding-edge. > If someone installs a postgre

Re: change password_encryption default to scram-sha-256?

On 4/8/19 4:10 PM, Alvaro Herrera wrote: > On 2019-Apr-08, Dave Cramer wrote: > >> On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera >> wrote: > >>> I meant an exception to the common situation that SCRAM-SHA-256 is >>> supported and shipped in stable releases of each driver. The wiki here >>> still

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Dave Cramer wrote: > On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera > wrote: > > I meant an exception to the common situation that SCRAM-SHA-256 is > > supported and shipped in stable releases of each driver. The wiki here > > still says it's unsupported on JDBC: > > https://wiki.p

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera wrote: > On 2019-Apr-08, Dave Cramer wrote: > > > > IIUC the vast majority of clients already support SCRAM auth. So the > > > vast majority of PG users can take advantage of the additional > security. > > > I think the only massive-adoption exception

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Dave Cramer wrote: > > IIUC the vast majority of clients already support SCRAM auth. So the > > vast majority of PG users can take advantage of the additional security. > > I think the only massive-adoption exception is JDBC, and apparently they > > already have working patches fo

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 15:18, Jonathan S. Katz wrote: > On 4/8/19 2:28 PM, Tom Lane wrote: > > Andres Freund writes: > >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: > >>> I'm not sure I understand all this talk about deferring changing the > >>> default to pg13. AFAICS only a few fringe

Re: change password_encryption default to scram-sha-256?

Alvaro, On Mon, 8 Apr 2019 at 13:34, Alvaro Herrera wrote: > I'm not sure I understand all this talk about deferring changing the > default to pg13. AFAICS only a few fringe drivers are missing support; > not changing in pg12 means we're going to leave *all* users, even those > whose clients ha

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote: >On Mon, Apr 08, 2019 at 10:41:07AM -0700, Andres Freund wrote: >> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A >> pretty large fraction of users use jdbc to access postgres. But it seems >> to me that support has b

Re: change password_encryption default to scram-sha-256?

On 4/8/19 2:28 PM, Tom Lane wrote: > Andres Freund writes: >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: >>> I'm not sure I understand all this talk about deferring changing the >>> default to pg13. AFAICS only a few fringe drivers are missing support; >>> not changing in pg12 means we'r

Re: change password_encryption default to scram-sha-256?

Andres Freund writes: > On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: >> I'm not sure I understand all this talk about deferring changing the >> default to pg13. AFAICS only a few fringe drivers are missing support; >> not changing in pg12 means we're going to leave *all* users, even those

Re: change password_encryption default to scram-sha-256?

Hi, On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: > I'm not sure I understand all this talk about deferring changing the > default to pg13. AFAICS only a few fringe drivers are missing support; > not changing in pg12 means we're going to leave *all* users, even those > whose clients have su

Re: change password_encryption default to scram-sha-256?

I'm not sure I understand all this talk about deferring changing the default to pg13. AFAICS only a few fringe drivers are missing support; not changing in pg12 means we're going to leave *all* users, even those whose clients have support, without the additional security for 18 more months. IIUC

Re: change password_encryption default to scram-sha-256?

On 4/8/19 10:08 AM, Tom Lane wrote: > "Jonathan S. Katz" writes: >> On 4/8/19 8:49 AM, Magnus Hagander wrote: >>> I think the real question is, is it OK to give them basically 5months >>> warning, by right now saying if you don't have a release out in 6 >>> months, things will break. > >> Given t

Re: change password_encryption default to scram-sha-256?

"Jonathan S. Katz" writes: > On 4/8/19 8:49 AM, Magnus Hagander wrote: >> I think the real question is, is it OK to give them basically 5months >> warning, by right now saying if you don't have a release out in 6 >> months, things will break. > Given the supported libraries all have open pull req

Re: change password_encryption default to scram-sha-256?

On 4/8/19 8:49 AM, Magnus Hagander wrote: > On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz > wrote: > Counter-argument: SCRAM has been available for 2 years since 10 feature > freeze, there has been a lot of time already given to implement support > for i

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz wrote: > On 4/8/19 8:19 AM, Peter Eisentraut wrote: > > On 2019-04-08 13:52, Andrew Dunstan wrote: > >> Yeah, if we're not going to do it now we should announce that we will > >> do it in the next release. > > > > Targeting PG13 seems reasonable. >

Re: change password_encryption default to scram-sha-256?

On 4/8/19 8:19 AM, Peter Eisentraut wrote: > On 2019-04-08 13:52, Andrew Dunstan wrote: >> Yeah, if we're not going to do it now we should announce that we will >> do it in the next release. > > Targeting PG13 seems reasonable. Counter-argument: SCRAM has been available for 2 years since 10 featu

Re: change password_encryption default to scram-sha-256?

On 2019-04-08 13:52, Andrew Dunstan wrote: > Yeah, if we're not going to do it now we should announce that we will > do it in the next release. Targeting PG13 seems reasonable. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 2:38 AM Michael Paquier wrote: > > On Mon, Apr 08, 2019 at 09:08:05AM +0300, Heikki Linnakangas wrote: > > I wouldn't hold my breath. That's the third PR to add SCRAM support already, > > see also https://github.com/lib/pq/pull/788 and > > https://github.com/lib/pq/pull/608.

Re: change password_encryption default to scram-sha-256?

Hi > I am wondering on the contrary if switching the default on Postgres > side would make things move faster on their side though. I think we need give more time before change default. I suggest not to repeat the quick change of default to a new value as it was in the MySQL 8.0 last year [1].

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 08, 2019 at 09:08:05AM +0300, Heikki Linnakangas wrote: > I wouldn't hold my breath. That's the third PR to add SCRAM support already, > see also https://github.com/lib/pq/pull/788 and > https://github.com/lib/pq/pull/608. The project seems to lack the committer > manpower or round tuit

Re: change password_encryption default to scram-sha-256?

On 08/04/2019 08:42, Andres Freund wrote: Seems go/pq might get it soon-ish: https://github.com/lib/pq/pull/833 I wouldn't hold my breath. That's the third PR to add SCRAM support already, see also https://github.com/lib/pq/pull/788 and https://github.com/lib/pq/pull/608. The project seems to

Re: change password_encryption default to scram-sha-256?

Hi, On 2019-04-08 01:34:42 -0400, Tom Lane wrote: > Michael Paquier writes: > > From what I can see, the major drivers not using directly libpq > > support our SASL protocol: JDBC and npgsql. However I can count three > > of them which still don't support it: Crystal, pq (Go) and asyncpg. > > pq

Re: change password_encryption default to scram-sha-256?

Michael Paquier writes: > From what I can see, the major drivers not using directly libpq > support our SASL protocol: JDBC and npgsql. However I can count three > of them which still don't support it: Crystal, pq (Go) and asyncpg. > pq and asyncpg are very popular on github, with at least 3000 s

Re: change password_encryption default to scram-sha-256?

On Sun, Apr 07, 2019 at 08:23:06PM +0200, David Fetter wrote: > Great idea! Does it make sense to test all, or at least some > significant fraction of the connectors listed in > https://wiki.postgresql.org/wiki/Client_Libraries by default? This is a more interesting list: https://wiki.postgresql.

Re: change password_encryption default to scram-sha-256?

On Sun, Apr 07, 2019 at 12:59:05PM -0400, Tom Lane wrote: > Peter Eisentraut writes: > > Should we change the default of the password_encryption setting to > > 'scram-sha-256' in PG12? > > I thought we were going to wait a bit longer --- that just got added > last year, no? What do we know about

Re: change password_encryption default to scram-sha-256?

Peter Eisentraut writes: > Should we change the default of the password_encryption setting to > 'scram-sha-256' in PG12? I thought we were going to wait a bit longer --- that just got added last year, no? What do we know about the state of support in client libraries? re

change password_encryption default to scram-sha-256?

Should we change the default of the password_encryption setting to 'scram-sha-256' in PG12? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services