5 Mar
2021
5 Mar
'21
7:02 a.m.
On Thu, Mar 04, 2021 at 06:10:11PM +0000, Daniel P. Berrangé wrote:
GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we especially want people to be using. Even the latter is a little questionable due to storing passwords in cleartext on the server.
At what point of the SCRAM-SHA-256 auth process is password handled as clear text? I mean I tried to look up the issue you mention and couldn't find anything, quite the contrary, e.g. Postgres says SCRAM-SHA-256 is the only recommended scheme for password-based auth and storing passwords in clear text is not possible. Isn't it kind of the point that passwords are never stored in clear text with this scheme? https://www.postgresql.org/docs/13/auth-password.html Erik