Re: Password identifiers, protocol aging and SCRAM protocol
Valery Popov <v.popov@postgrespro.ru>
From: Valery Popov <v.popov@postgrespro.ru>
To: pgsql-hackers@postgresql.org
Date: 2016-02-26T15:16:55Z
Lists: pgsql-hackers
26.02.2016 01:10, Michael Paquier пишет: > On Fri, Feb 26, 2016 at 1:38 AM, Valery Popov <v.popov@postgrespro.ru> wrote: >> Hi, Michael >> >> >> 23.02.2016 10:17, Michael Paquier пишет: >>> Attached is a set of patches implementing a couple of things that have >>> been discussed, so let's roll in. >>> >>> Those 4 patches are aimed at putting in-core basics for the concept I >>> call password protocol aging, which is a way to allow multiple >>> password protocols to be defined in Postgres, and aimed at easing >>> administration as well as retirement of outdated protocols, which is >>> something that is not doable now in Postgres. >>> >>> The second set of patch 0005~0008 introduces a new protocol, SCRAM. >>> 9) 0009 is the SCRAM authentication itself.... >> The theme with password checking is interesting for me, and I can give >> review for CF for some features. >> I think that review of all suggested features will require a lot of time. >> Is it possible to make subset of patches concerning only password strength >> and its aging? >> The patches you have applied are non-independent. They should be apply >> consequentially one by one. >> Thus the patch 0009 can't be applied without git error before 0001. >> In this conditions all patches were successfully applied and compiled. >> All tests successfully passed. > If you want to focus on the password protocol aging, you could just > have a look at 0001~0004. OK, I will review patches 0001-0004, for starting. -- Regards, Valery Popov Postgres Professional http://www.postgrespro.com The Russian Postgres Company
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed
-
Refactor SHA2 functions and move them to src/common/.
- 273c458a2b3a 10.0 landed
-
Replace isMD5() with a more future-proof way to check if pw is encrypted.
- dbd69118c05d 10.0 landed
-
Remove bogus notice that older clients might not work with MD5 passwords.
- 7e3ae5455948 9.2.20 landed
- 470af1f41c8b 9.3.16 landed
- ada2cdb61015 9.4.11 landed
- 65a7f190b253 9.5.6 landed
- 7546c135dc30 9.6.2 landed
- 31c54096a18f 10.0 landed
-
Refactor the code for verifying user's password.
- e7f051b8f9a6 10.0 landed
-
Replace PostmasterRandom() with a stronger source, second attempt.
- fe0a0b5993df 10.0 landed
-
Remove support for (insecure) crypt authentication.
- 53a5026b5cb3 8.4.0 cited