Re: WIP: SCRAM authentication
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Peter Eisentraut <peter_e@gmx.net>, Josh Berkus <josh@agliodbs.com>,
Heikki Linnakangas <hlinnaka@iki.fi>,
Michael Paquier <michael.paquier@gmail.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-08-13T03:00:19Z
Lists: pgsql-hackers
On Wed, Aug 12, 2015 at 9:36 PM, Stephen Frost <sfrost@snowman.net> wrote: >> Yes, the SCRAM implementation could be buggy. But also, OpenSSL has >> repeatedly had security bugs that were due to forcing servers to >> downgrade to older protocols. I wouldn't like us to start growing >> similar vulnerabilities, where SCRAM would have been just fine but an >> attack that involves forcing a downgrade to MD5 is possible. > > I agree that such similar vulnerabilities would be unfortunate, but > the way to avoid that is to not implement the actual hashing or > encryption algorithms ourselves and to stick to the protocol as defined > in the specification. Nothing in that will protect us if the client can request a non-SCRAM form of authentication. >> I don't think you are quite correct about the scenario where pg_authid >> is compromised. Even if the hash stored there is functionally >> equivalent to the password itself as far as this instance of >> PostgreSQL is concerned, the same password may have been used for >> other services, so cracking it has a purpose. > > I attempted to address that also by stating that, should an attacker > compromise a system with the goal of gaining the cleartext password, > they would attempt the following, in order: What if they steal a pg_dump? All of the password verifiers are there, but the live system is not. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed