[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication

Stephen Frost sfrost at snowman.net
Wed Mar 4 14:55:51 UTC 2015


Aaron,

* Aaron Zauner (azet at azet.org) wrote:
> Stephen Frost wrote:
> > We're currently looking at getting SCRAM support by implementing SASL,
> > but I'm worried that we'll then create a dependency on SASL that people
> > won't be happy with and therefore I'm very curious about how difficult
> > it'd be to implement proper SCRAM directly.  Do you know if there is
> > BSD-licensed code (PG is entirely BSD licensed) that implements SCRAM?
> 
> Just to put the idea out there; PGSQL currently links to OpenSSL for
> TLS, right? TLS has support for SRP [0] [1]. This could be used for
> password based authenticated TLS sessions without client certificates.
> Might be less of a burden on users than deploying PKIX with
> client-certificates while still providing proper security.

That's an excellent thought..  I wasn't aware of this.  Unfortunately,
I'm not sure that we could make it the default in Debian as it requires
server-side certificates be configured and used properly (correct?) but
I don't see a reason to not support it and encourage its use.

	Thanks!

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150304/fc2e335e/attachment.sig>


More information about the Pkg-postgresql-public mailing list