Re: SCRAM authentication, take three
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Michael Paquier <michael.paquier@gmail.com>, Aleksander Alekseev <a.alekseev@postgrespro.ru>, Alvaro Herrera <alvherre@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>, magnus@hagander.net, robertmhaas@gmail.com
Date: 2017-04-16T04:14:21Z
Lists: pgsql-hackers
On Wed, Apr 12, 2017 at 02:33:27AM -0400, Noah Misch wrote: > On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote: > > On 04/11/2017 04:52 AM, Peter Eisentraut wrote: > > >On 4/10/17 04:27, Heikki Linnakangas wrote: > > >>One thing to consider is that we just made the decision that "md5" > > >>actually means "md5 or scram-sha-256". Extrapolating from that, I think > > >>we'll want "scram-sha-256" to mean "scram-sha-256 or scram-sha-256-plus" > > >>(i.e. the channel-bonding variant) in the future. And if we get support > > >>for scram-sha-512, "scram-sha-256" would presumably allow that too. > > > > > >But how would you choose between scram-sha-256-plus and scram-sha-512? > > > > Good question. We would need to decide the order of preference for those. > > > > That question won't arise in practice. Firstly, if the server can do > > scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless > > there's a change in the way the channel binding works, such that the > > scram-sha-512-plus variant needs a newer version of OpenSSL or something. > > Secondly, the user's pg_authid row will contain a SCRAM-SHA-256 or > > SCRAM-SHA-512 verifier, not both, so that will dictate which one to use. > > [Action required within three days. This is a generic notification.] > > The above-described topic is currently a PostgreSQL 10 open item. Heikki, > since you committed the patch believed to have created it, you own this open > item. If some other commit is more relevant or if this does not belong as a > v10 open item, please let us know. Otherwise, please observe the policy on > open item ownership[1] and send a status update within three calendar days of > this message. Include a date for your subsequent status update. Testers may > discover new open items at any time, and I want to plan to get them all fixed > well in advance of shipping v10. Consequently, I will appreciate your efforts > toward speedy resolution. Thanks. > > [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com This PostgreSQL 10 open item is past due for your status update. Kindly send a status update within 24 hours, and include a date for your subsequent status update. Refer to the policy on open item ownership: https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed