On 5/24/19 9:01 AM, Stephen Frost wrote: > Greetings, > > * Jonathan S. Katz (jk...@postgresql.org) wrote: >> On 5/24/19 8:33 AM, Stephen Frost wrote: >>> We need to provide better documentation about how to get from md5 to >>> SCRAM, in my view. I'm not sure where that should live, exactly. >>> I really wish we had put more effort into making the migration easy to >>> do over a period of time, and we might actually have to do that before >>> the packagers would be willing to make that change. >> >> +100...I think we should do this regardless, and I was already thinking >> of writing something up around it. I would even suggest that we have >> said password upgrade documentation backpatched to 10. > > Not sure that backpatching is necessary, but I'm not actively against > it.
Well, for someone who wants to cut over and has to manually guide the process, a guide will help in absence of new development. > > What I was really getting at though was the ability to have multiple > authenticator tokens active concurrently (eg: md5 AND SCRAM), with an > ability to use either one (idk, md5_or_scram auth method?), and then > automatically set both on password change until everything is using > SCRAM and then remove all MD5 stuff. > > Or something along those lines. In other words, I'm talking about new > development work to ease the migration (while also providing some oft > asked about features, like the ability to do rolling passwords...). Cool, I have been thinking about a similar feature as well to help ease the transition (and fwiw was going to suggest it in my previous email). I think an interim step at least is to document how we can at least help ease the transition. Thanks, Jonathan
signature.asc
Description: OpenPGP digital signature
