Re: [REVIEW]: Password identifiers, protocol aging and SCRAM protocol

Valery Popov <v.popov@postgrespro.ru>

From: Valery Popov <v.popov@postgrespro.ru>
To: Michael Paquier <michael.paquier@gmail.com>, Dmitry Dolgov <9erthalion6@gmail.com>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2016-03-02T08:43:23Z
Lists: pgsql-hackers
>>        <para>
>>         <varname>db_user_namespace</> causes the client's and
>>         server's user name representation to differ.
>>         Authentication checks are always done with the server's user name
>>         so authentication methods must be configured for the
>>         server's user name, not the client's.  Because
>>         <literal>md5</> uses the user name as salt on both the
>>         client and server, <literal>md5</> cannot be used with
>>         <varname>db_user_namespace</>.
>>        </para>
Also in doc/src/sgml/ref/create_role.sgml is should be instead of
       <term>PASSWORD VERIFIERS ( <replaceable 
class="PARAMETER">verifier_type</replaceable> = '<replaceable 
class="PARAMETER">password</replaceable>'</term>
like this
       <term><literal>PASSWORD VERIFIERS</> ( <replaceable 
class="PARAMETER">verifier_type</replaceable> = '<replaceable 
class="PARAMETER">password</replaceable>'</term>-- Regards, Valery Popov 
Postgres Professional http://www.postgrespro.com The Russian Postgres 
Company


Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

  2. Refactor SHA2 functions and move them to src/common/.

  3. Replace isMD5() with a more future-proof way to check if pw is encrypted.

  4. Remove bogus notice that older clients might not work with MD5 passwords.

  5. Refactor the code for verifying user's password.

  6. Replace PostmasterRandom() with a stronger source, second attempt.

  7. Remove support for (insecure) crypt authentication.