Re: SCRAM authentication, take three
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Noah Misch <noah@leadboat.com>, Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Michael Paquier <michael.paquier@gmail.com>,
Aleksander Alekseev <a.alekseev@postgrespro.ru>,
Alvaro Herrera <alvherre@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>, magnus@hagander.net,
robertmhaas@gmail.com
Date: 2017-04-11T01:47:11Z
Lists: pgsql-hackers
On 4/9/17 19:19, Noah Misch wrote: > These are the two chief approaches I'm seeing: > > 1. scram-sha-256, scram-sha-256-plus, and successors will be their own > pg_hba.conf authentication methods. Until and unless someone implements an > ability to name multiple methods per HBA line, you must choose exactly one > SASL method. The concrete work for v10 would be merely renaming "scram" to > "scram-sha-256". I like that. > 2. Create a multiplexed authentication method like "sasl" or "scram" (not to > be confused with today's "scram" method, which denotes SCRAM-SHA-256 > precisely). The DBA permits concrete methods like scram-sha-256 via HBA > option. Absent that option, the system could default to a reasonable list. The problem with that approach is that you would then eventually need yet another place like pg_hba.conf to configure which SASL mechanisms to use under which circumstances. pg_hba.conf is already that place for the Legacy Authentication and Security Layer, so it could be that place for SASL as well. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
- c727f120ff50 10.0 landed
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed