Re: Password identifiers, protocol aging and SCRAM protocol
David Steele <david@pgmasters.net>
From: David Steele <david@pgmasters.net>
To: Michael Paquier <michael.paquier@gmail.com>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>,
v.popov@postgrespro.ru
Date: 2016-03-16T15:14:44Z
Lists: pgsql-hackers
On 3/16/16 9:00 AM, Michael Paquier wrote: > On Tue, Mar 15, 2016 at 6:38 PM, David Steele <david@pgmasters.net> wrote: > >> 1) I see that rolvaliduntil is still in pg_authid: >> I think that's OK if we now define it to be "role validity" (it's still >> password validity in the patched docs). I would also like to see a >> validuntil column in pg_auth_verifiers so we can track password >> expiration for each verifier separately. For now I think it's enough to >> copy the same validity both places since there can only be one verifier. > > FWIW, this is an intentional change, and my goal is to focus on only > the protocol aging for now. We will need to move rolvaliduntil to > pg_auth_verifiers if we want to allow rolling updates of password > verifiers for a given role, but that's a different patch, and we need > to think about the SQL interface carefully. This infrastructure makes > the move easier by the way to do that, and honestly I don't really see > what we gain now by copying the same value to two different system > catalogs. Here's my thinking. If validuntil is moved to pg_auth_verifiers now then people can start using it there. That will make it less traumatic when/if validuntil in pg_authid is removed later. The field in pg_authid could be deprecated in this release to let people know not to use it. Or, as I suggested it could be recast as role validity, which right now happens to be the same as password validity. >> 2) I don't think the column naming in pg_auth_verifiers is consistent >> with other catalogs: >> postgres=# select * from pg_auth_verifiers; >> roleid | verimet | verival >> --------+---------+------------------------------------- >> 16387 | m | md505a671c66aefea124cc08b76ea6d30bb >> 16388 | p | testu >> >> System catalogs generally use a 3 character prefix so I would expect the >> columns to be (if we pick avr as a prefix): > > OK, this makes sense. > >> avrrole >> avrmethod >> avrverifier > > Assuming "ver" is the prefix, we get: verroleid, vermethod, vervalue. > I kind of like those ones, more than with "avr" as prefix actually. > Other ideas are of course welcome. ver is fine as a prefix. >> 3) rolpassword is still in pg_shadow even though it is not useful anymore: >> postgres=# select usename, passwd, valuntil from pg_shadow; >> >> usename | passwd | valuntil >> ---------+----------+------------------------ >> vagrant | ******** | >> test | ******** | >> testu | ******** | 2017-01-01 00:00:00+00 >> >> If anyone is actually using this column in a meaningful way they are in >> for a nasty surprise when trying use the value in passwd as a verifier. >> I would prefer to drop the column entirely and produce a clear error. >> >> Perhaps a better option would be to drop pg_shadow entirely since it >> seems to have no further purpose in life. > > We discussed that on the previous thread and the conclusion was to > keep pg_shadow, but to clobber the password value with "***", > explaining this choice: > http://www.postgresql.org/message-id/6174.1455501497@sss.pgh.pa.us Ah, I missed that one. -- -David david@pgmasters.net
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed
-
Refactor SHA2 functions and move them to src/common/.
- 273c458a2b3a 10.0 landed
-
Replace isMD5() with a more future-proof way to check if pw is encrypted.
- dbd69118c05d 10.0 landed
-
Remove bogus notice that older clients might not work with MD5 passwords.
- 7e3ae5455948 9.2.20 landed
- 470af1f41c8b 9.3.16 landed
- ada2cdb61015 9.4.11 landed
- 65a7f190b253 9.5.6 landed
- 7546c135dc30 9.6.2 landed
- 31c54096a18f 10.0 landed
-
Refactor the code for verifying user's password.
- e7f051b8f9a6 10.0 landed
-
Replace PostmasterRandom() with a stronger source, second attempt.
- fe0a0b5993df 10.0 landed
-
Remove support for (insecure) crypt authentication.
- 53a5026b5cb3 8.4.0 cited