SCRAM authentication, take three

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Cc: Michael Paquier <michael.paquier@gmail.com>
Date: 2017-02-06T12:55:08Z
Lists: pgsql-hackers

Attachments

I rebased the SCRAM authentication patches over current master. Here you 
are.

I'm trying to whack this into the final shape that it could actually be 
committed. The previous thread on SCRAM authentication has grown 
ridiculously long and meandered into all kinds of details, so I thought 
it's best to start afresh with a new thread.

So, if you haven't paid attention on this for a while, now would be a 
good time to have another look at the patch. I believe all the basic 
functionality, documentation, and tests are there, and there are no 
known bugs. Please review! I'll start reading through these myself again 
tomorrow.

One thing that's missing, that we need to address before the release, is 
the use of SASLPrep to "normalize" the password. We discussed that in 
the previous thread, and I think we have a good path forward on it. I'd 
be happy to leave that for a follow-up commit, after these other patches 
have been committed, so we can discuss that work separately.

These are also available on Michael's github repository, at 
https://github.com/michaelpq/postgres/tree/scram.

- Heikki

Commits

  1. Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

  2. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).