SCRAM authentication, take three
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Cc: Michael Paquier <michael.paquier@gmail.com>
Date: 2017-02-06T12:55:08Z
Lists: pgsql-hackers
Attachments
- 0001-Refactor-SHA2-functions-and-move-them-to-src-common.patch.gz (application/gzip) patch 0001
- 0002-Add-encoding-routines-for-base64-without-whitespace-.patch.gz (application/gzip) patch 0002
- 0003-Add-clause-PASSWORD-val-USING-protocol-to-CREATE-ALT.patch.gz (application/gzip) patch 0003
- 0004-Support-for-SCRAM-SHA-256-authentication-RFC-5802-an.patch.gz (application/gzip) patch 0004
- 0005-Add-regression-tests-for-passwords.patch.gz (application/gzip) patch 0005
- 0006-Add-TAP-tests-for-authentication-methods.patch.gz (application/gzip) patch 0006
I rebased the SCRAM authentication patches over current master. Here you are. I'm trying to whack this into the final shape that it could actually be committed. The previous thread on SCRAM authentication has grown ridiculously long and meandered into all kinds of details, so I thought it's best to start afresh with a new thread. So, if you haven't paid attention on this for a while, now would be a good time to have another look at the patch. I believe all the basic functionality, documentation, and tests are there, and there are no known bugs. Please review! I'll start reading through these myself again tomorrow. One thing that's missing, that we need to address before the release, is the use of SASLPrep to "normalize" the password. We discussed that in the previous thread, and I think we have a good path forward on it. I'd be happy to leave that for a follow-up commit, after these other patches have been committed, so we can discuss that work separately. These are also available on Michael's github repository, at https://github.com/michaelpq/postgres/tree/scram. - Heikki
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed