Re: WIP: SCRAM authentication

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Robert Haas <robertmhaas@gmail.com>, Michael Paquier <michael.paquier@gmail.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-08-08T17:23:42Z
Lists: pgsql-hackers
On 08/08/2015 04:27 PM, Robert Haas wrote:
> I don't see that there's any good reason to allow the same password to
> be stored in the catalog encrypted more than one way,

Sure there is. If you want to be able to authenticate using different 
mechanism, you need the same password "encrypted" in different ways. 
SCRAM uses verifier that's derived from the password in one way, MD5 
authentication needs an MD5 hash, and yet other protocols have other 
requirements.

> and I don't think there's any good reason to introduce the PASSWORD
> VERIFIER terminology.  I think we should store (1) your password,
> either encrypted or unencrypted; and (2) the method used to encrypt
> it.  And that's it.

Like Joe and Stephen, I actually find it highly confusing that we call 
the MD5 hash an "encrypted password". The term "password verifier" is 
fairly common in the specifications of authentication mechanisms. I 
think we should adopt it.

- Heikki



Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).