Re: SCRAM authentication, take three
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>, Noah Misch <noah@leadboat.com>
Cc: Michael Paquier <michael.paquier@gmail.com>,
Aleksander Alekseev <a.alekseev@postgrespro.ru>,
Alvaro Herrera <alvherre@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>, magnus@hagander.net,
robertmhaas@gmail.com
Date: 2017-04-14T19:33:31Z
Lists: pgsql-hackers
On 4/11/17 01:10, Heikki Linnakangas wrote: > That question won't arise in practice. Firstly, if the server can do > scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless > there's a change in the way the channel binding works, such that the > scram-sha-512-plus variant needs a newer version of OpenSSL or > something. Secondly, the user's pg_authid row will contain a > SCRAM-SHA-256 or SCRAM-SHA-512 verifier, not both, so that will dictate > which one to use. Right. So putting the actual password method in pg_hba.conf isn't going to be useful very often. I think the most practical thing that the user wants in pg_hba.conf is "best password method supported by what is in pg_authid". This is currently spelled "md5", which is of course pretty weird. And it will become weirder over time. I think we want to have a new keyword in pg_hba.conf for that, one which does not indicate any particular algorithm or method (so not "scram" or "sasl"). We could use "password". If we think that "md5" can mean md5-or-beyond, then maybe "password" can mean password-or-md5-or-beyond. Or otherwise a completely new word. We also want to give users/admins a way to phase out old methods or set some policy. We could either make a global GUC setting password_methods='md5 scram-sha-256' and/or make that an option in pg_hba.conf past the method field. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed