Re: SCRAM authentication, take three
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Michael Paquier <michael.paquier@gmail.com>, Aleksander Alekseev <a.alekseev@postgrespro.ru>, Alvaro Herrera <alvherre@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-04-07T05:21:10Z
Lists: pgsql-hackers
On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote: > On 04/06/2017 08:36 AM, Noah Misch wrote: > >On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote: > >>I didn't include the last-minute changes to the way you specify this in > >>pg_hba.conf. So it's still just "scram". I agree in general that we should > >>think about how to extend that too, but I think the proposed syntax was > >>overly verbose for what we actually support right now. Let's discuss that as > >>a separate thread, as well. > > > >[Action required within three days. This is a generic notification.] > > > >The above-described topic is currently a PostgreSQL 10 open item. > > I don't think we will come up with anything better than what we have now, so > I have removed this from the open items list. Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with his framing of the problem and provided two syntax alternatives, on 2017-01-18. Michael implemented[3] a variation of one of those on 2017-02-20, which you declined in your 2017-03-07 commit with just the explanation quoted above. I say Michael came up with something better five months ago. Reserving, as HEAD does today, keyword "scram" to mean "type of SCRAM we introduced first" will look ugly in 2027. Cryptographic hash functions have a short shelf life compared to PostgreSQL. nm [1] https://www.postgresql.org/message-id/CAB7nPqS99Z31f7jhoYYMoBDbuZSQRpn+HQzByA=EwfMDYwCk1Q@mail.gmail.com [2] https://www.postgresql.org/message-id/20170118052356.GA5952@gust [3] https://www.postgresql.org/message-id/CAB7nPqSALxkOOHBK3ugBF+Kfq4pqgTgJK_os68f3NkXGhDOz6w@mail.gmail.com
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed