Re: change password_encryption default to scram-sha-256?

On 4/8/19 6:10 PM, Jonathan S. Katz wrote: > On 4/8/19 4:20 PM, Alvaro Herrera wrote: >> On 2019-Apr-08, Jonathan S. Katz wrote: >> >>> On 4/8/19 4:10 PM, Alvaro Herrera wrote: >> I wonder why we have two pages https://wiki.postgresql.org/wiki/Client_Libraries

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 10:08:07AM -0400, Tom Lane wrote: > "Jonathan S. Katz" writes: > > On 4/8/19 8:49 AM, Magnus Hagander wrote: > >> I think the real question is, is it OK to give them basically 5months > >> warning, by right now saying if you don't have a release out in 6 > >> months,

Re: change password_encryption default to scram-sha-256?

>> I am not sure all third party programs concerning scram-sha-256 are >> listed on this. There are some programs that talk to PostgreSQL using >> frontend/backend protocol, but not based on libpq or other native >> drivers (for example Pgpool-II). I guess PgBouncer is in the same >> category too.

Re: change password_encryption default to scram-sha-256?

Em seg, 8 de abr de 2019 às 19:43, Tatsuo Ishii escreveu: > > I am not sure all third party programs concerning scram-sha-256 are > listed on this. There are some programs that talk to PostgreSQL using > frontend/backend protocol, but not based on libpq or other native > drivers (for example

Re: change password_encryption default to scram-sha-256?

> On Sun, Apr 07, 2019 at 12:59:05PM -0400, Tom Lane wrote: >> Peter Eisentraut writes: >> > Should we change the default of the password_encryption setting to >> > 'scram-sha-256' in PG12? >> >> I thought we were going to wait a bit longer --- that just got added >> last year, no? What do we

Re: change password_encryption default to scram-sha-256?

On 4/8/19 4:20 PM, Alvaro Herrera wrote: > On 2019-Apr-08, Jonathan S. Katz wrote: > >> On 4/8/19 4:10 PM, Alvaro Herrera wrote: > >>> I wonder why we have two pages >>> https://wiki.postgresql.org/wiki/Client_Libraries >>> https://wiki.postgresql.org/wiki/List_of_drivers >> >> No clue, but it

Re: change password_encryption default to scram-sha-256?

Dave Cramer writes: > That said 42.2.0 was released in January 2018, so by PG13 it's going to be > 4 years old. Huh? 13 should come out in the fall of 2020. regards, tom lane

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 16:38, Tom Lane wrote: > Dave Cramer writes: > >> If someone installs a postgres RPM/DEB from postgresql.org, they could > >> also install postgresql-jdbc, right ? > > > I would guess there might be some distro specific java apps that might > > actually use what is on the

Re: change password_encryption default to scram-sha-256?

Dave Cramer writes: >> If someone installs a postgres RPM/DEB from postgresql.org, they could >> also install postgresql-jdbc, right ? > I would guess there might be some distro specific java apps that might > actually use what is on the machine but as mentioned any reasonably complex > Java app

Re: change password_encryption default to scram-sha-256?

> > > > > The scenario that worries me here is somebody using a bleeding-edge PGDG > > server package in an environment where the rest of the Postgres ecosystem > > is much less bleeding-edge. > > If someone installs a postgres RPM/DEB from postgresql.org, they could > also > install

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Tom Lane wrote: > I'm particularly concerned about the idea that they won't see a problem > during initial testing, only to have things fall over after they enter > production and do a "routine" password change. This is a fair objection. -- Álvaro Herrera

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Jonathan S. Katz wrote: > On 4/8/19 4:10 PM, Alvaro Herrera wrote: > > I wonder why we have two pages > > https://wiki.postgresql.org/wiki/Client_Libraries > > https://wiki.postgresql.org/wiki/List_of_drivers > > No clue, but it appears that first one is the newer of the

Re: change password_encryption default to scram-sha-256?

Justin Pryzby writes: > On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote: >> The scenario that worries me here is somebody using a bleeding-edge PGDG >> server package in an environment where the rest of the Postgres ecosystem >> is much less bleeding-edge. > If someone installs a

Re: change password_encryption default to scram-sha-256?

On 4/8/19 4:10 PM, Alvaro Herrera wrote: > On 2019-Apr-08, Dave Cramer wrote: > >> On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera >> wrote: > >>> I meant an exception to the common situation that SCRAM-SHA-256 is >>> supported and shipped in stable releases of each driver. The wiki here >>> still

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Dave Cramer wrote: > On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera > wrote: > > I meant an exception to the common situation that SCRAM-SHA-256 is > > supported and shipped in stable releases of each driver. The wiki here > > still says it's unsupported on JDBC: > >

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 16:07, Alvaro Herrera wrote: > On 2019-Apr-08, Dave Cramer wrote: > > > > IIUC the vast majority of clients already support SCRAM auth. So the > > > vast majority of PG users can take advantage of the additional > security. > > > I think the only massive-adoption exception

Re: change password_encryption default to scram-sha-256?

On 2019-Apr-08, Dave Cramer wrote: > > IIUC the vast majority of clients already support SCRAM auth. So the > > vast majority of PG users can take advantage of the additional security. > > I think the only massive-adoption exception is JDBC, and apparently they > > already have working patches

Re: change password_encryption default to scram-sha-256?

On Mon, 8 Apr 2019 at 15:18, Jonathan S. Katz wrote: > On 4/8/19 2:28 PM, Tom Lane wrote: > > Andres Freund writes: > >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: > >>> I'm not sure I understand all this talk about deferring changing the > >>> default to pg13. AFAICS only a few

Re: change password_encryption default to scram-sha-256?

Alvaro, On Mon, 8 Apr 2019 at 13:34, Alvaro Herrera wrote: > I'm not sure I understand all this talk about deferring changing the > default to pg13. AFAICS only a few fringe drivers are missing support; > not changing in pg12 means we're going to leave *all* users, even those > whose clients

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 08, 2019 at 02:28:30PM -0400, Tom Lane wrote: >On Mon, Apr 08, 2019 at 10:41:07AM -0700, Andres Freund wrote: >> If jdbc didn't support scram, it'd be an absolutely clear no-go imo. A >> pretty large fraction of users use jdbc to access postgres. But it seems >> to me that support has

Re: change password_encryption default to scram-sha-256?

On 4/8/19 2:28 PM, Tom Lane wrote: > Andres Freund writes: >> On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: >>> I'm not sure I understand all this talk about deferring changing the >>> default to pg13. AFAICS only a few fringe drivers are missing support; >>> not changing in pg12 means

Re: change password_encryption default to scram-sha-256?

Andres Freund writes: > On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: >> I'm not sure I understand all this talk about deferring changing the >> default to pg13. AFAICS only a few fringe drivers are missing support; >> not changing in pg12 means we're going to leave *all* users, even those

Re: change password_encryption default to scram-sha-256?

Hi, On 2019-04-08 13:34:12 -0400, Alvaro Herrera wrote: > I'm not sure I understand all this talk about deferring changing the > default to pg13. AFAICS only a few fringe drivers are missing support; > not changing in pg12 means we're going to leave *all* users, even those > whose clients have

Re: change password_encryption default to scram-sha-256?

I'm not sure I understand all this talk about deferring changing the default to pg13. AFAICS only a few fringe drivers are missing support; not changing in pg12 means we're going to leave *all* users, even those whose clients have support, without the additional security for 18 more months. IIUC

Re: change password_encryption default to scram-sha-256?

On 4/8/19 10:08 AM, Tom Lane wrote: > "Jonathan S. Katz" writes: >> On 4/8/19 8:49 AM, Magnus Hagander wrote: >>> I think the real question is, is it OK to give them basically 5months >>> warning, by right now saying if you don't have a release out in 6 >>> months, things will break. > >> Given

Re: change password_encryption default to scram-sha-256?

"Jonathan S. Katz" writes: > On 4/8/19 8:49 AM, Magnus Hagander wrote: >> I think the real question is, is it OK to give them basically 5months >> warning, by right now saying if you don't have a release out in 6 >> months, things will break. > Given the supported libraries all have open pull

Re: change password_encryption default to scram-sha-256?

On 4/8/19 8:49 AM, Magnus Hagander wrote: > On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz > wrote: > Counter-argument: SCRAM has been available for 2 years since 10 feature > freeze, there has been a lot of time already given to implement support > for

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 2:38 PM Jonathan S. Katz wrote: > On 4/8/19 8:19 AM, Peter Eisentraut wrote: > > On 2019-04-08 13:52, Andrew Dunstan wrote: > >> Yeah, if we're not going to do it now we should announce that we will > >> do it in the next release. > > > > Targeting PG13 seems reasonable. >

Re: change password_encryption default to scram-sha-256?

On 4/8/19 8:19 AM, Peter Eisentraut wrote: > On 2019-04-08 13:52, Andrew Dunstan wrote: >> Yeah, if we're not going to do it now we should announce that we will >> do it in the next release. > > Targeting PG13 seems reasonable. Counter-argument: SCRAM has been available for 2 years since 10

Re: change password_encryption default to scram-sha-256?

On 2019-04-08 13:52, Andrew Dunstan wrote: > Yeah, if we're not going to do it now we should announce that we will > do it in the next release. Targeting PG13 seems reasonable. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA,

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 8, 2019 at 2:38 AM Michael Paquier wrote: > > On Mon, Apr 08, 2019 at 09:08:05AM +0300, Heikki Linnakangas wrote: > > I wouldn't hold my breath. That's the third PR to add SCRAM support already, > > see also https://github.com/lib/pq/pull/788 and > >

Re: change password_encryption default to scram-sha-256?

Hi > I am wondering on the contrary if switching the default on Postgres > side would make things move faster on their side though. I think we need give more time before change default. I suggest not to repeat the quick change of default to a new value as it was in the MySQL 8.0 last year [1].

Re: change password_encryption default to scram-sha-256?

On Mon, Apr 08, 2019 at 09:08:05AM +0300, Heikki Linnakangas wrote: > I wouldn't hold my breath. That's the third PR to add SCRAM support already, > see also https://github.com/lib/pq/pull/788 and > https://github.com/lib/pq/pull/608. The project seems to lack the committer > manpower or round

Re: change password_encryption default to scram-sha-256?

On 08/04/2019 08:42, Andres Freund wrote: Seems go/pq might get it soon-ish: https://github.com/lib/pq/pull/833 I wouldn't hold my breath. That's the third PR to add SCRAM support already, see also https://github.com/lib/pq/pull/788 and https://github.com/lib/pq/pull/608. The project seems

Re: change password_encryption default to scram-sha-256?

Hi, On 2019-04-08 01:34:42 -0400, Tom Lane wrote: > Michael Paquier writes: > > From what I can see, the major drivers not using directly libpq > > support our SASL protocol: JDBC and npgsql. However I can count three > > of them which still don't support it: Crystal, pq (Go) and asyncpg. > >

Re: change password_encryption default to scram-sha-256?

Michael Paquier writes: > From what I can see, the major drivers not using directly libpq > support our SASL protocol: JDBC and npgsql. However I can count three > of them which still don't support it: Crystal, pq (Go) and asyncpg. > pq and asyncpg are very popular on github, with at least 3000

Re: change password_encryption default to scram-sha-256?

On Sun, Apr 07, 2019 at 08:23:06PM +0200, David Fetter wrote: > Great idea! Does it make sense to test all, or at least some > significant fraction of the connectors listed in > https://wiki.postgresql.org/wiki/Client_Libraries by default? This is a more interesting list:

Re: change password_encryption default to scram-sha-256?

On Sun, Apr 07, 2019 at 12:59:05PM -0400, Tom Lane wrote: > Peter Eisentraut writes: > > Should we change the default of the password_encryption setting to > > 'scram-sha-256' in PG12? > > I thought we were going to wait a bit longer --- that just got added > last year, no? What do we know

Re: change password_encryption default to scram-sha-256?

Peter Eisentraut writes: > Should we change the default of the password_encryption setting to > 'scram-sha-256' in PG12? I thought we were going to wait a bit longer --- that just got added last year, no? What do we know about the state of support in client libraries?

change password_encryption default to scram-sha-256?

Should we change the default of the password_encryption setting to 'scram-sha-256' in PG12? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services