On 24/05/2019 16:01, Stephen Frost wrote:
What I was really getting at though was the ability to have multiple
authenticator tokens active concurrently (eg: md5 AND SCRAM), with an
ability to use either one (idk, md5_or_scram auth method?), and then
automatically set both on password change until everything is using
SCRAM and then remove all MD5 stuff.
Umm, that's what "md5" already does. Per documentation
(https://www.postgresql.org/docs/current/auth-password.html):
> To ease transition from the md5 method to the newer SCRAM method, if
> md5 is specified as a method in pg_hba.conf but the user's password on
> the server is encrypted for SCRAM (see below), then SCRAM-based
> authentication will automatically be chosen instead.
The migration path is:
1. Use "md5" in pg_hba.conf, and put password_encryption='scram-sha-256'
in postgresql.conf.
2. Wait until all users have reset their passwords, so that all users
have a SCRAM-SHA-256 verifier.
3. Replace "md5" with "scram-sha-256" in pg_hba.conf.
Step 3 is kind of optional; once all users have a SCRAM verifier instead
of an MD5 hash, they will all use SCRAM even without changing
pg_hba.conf. It just prevents MD5 authentication in case a user forces a
new MD5 hash into the system e.g. by changing password_encryption, or by
setting an MD5 password explicitly with ALTER USER.
- Heikki
