On Fri, 15 Jun 2001, Bruce Momjian wrote:

> > > Migrating old sites to encrypted pg_shadow passwords should be easy if a
> > > trigger on pg_shadow will look for unencrypted INSERTs and encrypt them.
> >
> > If encrypting pg_shadow will break the old-style crypt method, then I
> > think forcing a conversion via a trigger is unacceptable.  It will have
> > to be a DBA choice (at configure time, or possibly initdb?) whether to
> > use encryption or not in pg_shadow; accordingly, either crypt or "new
> > crypt" auth method will be supported by the server, not both.  But
> > client libraries could be built to support both auth methods.
>
> I hate to add initdb options because it may be confusing.  I wonder if
> we should have a script that encrypts the pg_shadow entries that can be
> run when the administrator knows that there are no old clients left
> around.  That way it can be run _after_ initdb.

Which clients actually read pg_shadow?  I always thought that only the
postmaster read it.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: [EMAIL PROTECTED]    http://www.pop4.net
         56K Nationwide Dialup from $16.00/mo at Pop4 Networking
        Online Campground Directory    http://www.camping-usa.com
       Online Giftshop Superstore    http://www.cloudninegifts.com
==========================================================================




---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Reply via email to