| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Andreas Karlsson <andreas(at)proxel(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PG 10 release notes |
| Date: | 2017-04-26 00:02:51 |
| Message-ID: | CAB7nPqQCxOG+qwgDYAAOm7NREhJdfKcpzJNivF8CM-47EBa9vw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Apr 26, 2017 at 12:20 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> On Tue, Apr 25, 2017 at 02:39:40PM +0900, Michael Paquier wrote:
>> <para>
>> Add <link linkend="auth-pg-hba-conf"><literal>SCRAM-SHA-256</></>
>> support for password negotiation and storage (Michael
>> Paquier, Heikki Linnakangas)
>> </para>
>> <para>
>> This proves better security than the existing 'md5' negotiation and
>> storage method.
>> </para>
>> This is quite vague...
>
> Can you give me better text? I can't think of any.
Sure, here is an idea:
Add support for SASL authentication using protocol mechanism
SCRAM-SHA-256 per RFC 5802 and 7677. (adding a reference to the RFCs
with a link seems important to me).
SCRAM-SHA-256 improves deficiencies of MD5 password hashing by
preventing any kind of pass-the-hash vulnerabilities, where a user
would be able to connect to a PostgreSQL instance by just knowing the
hash of a password and not the password itself.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2017-04-26 00:06:32 | Re: question: data file update when pg_basebackup in progress |
| Previous Message | Thomas Munro | 2017-04-25 23:17:05 | Transition tables for triggers on foreign tables and views |