Re: WIP: SCRAM authentication
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2015-08-07T07:22:53Z
Lists: pgsql-hackers
Attachments
- 0001-Add-facility-to-store-multiple-password-formats.patch (application/x-patch) patch 0001
- 0002-Move-sha1.c-to-src-common.patch (application/x-patch) patch 0002
- 0003-Refactor-sendAuthRequest.patch (application/x-patch) patch 0003
- 0004-SCRAM-authentication.patch (application/x-patch) patch 0004
On Tue, Aug 4, 2015 at 4:20 PM, Michael Paquier wrote: > I have been looking more in depths at this one, which adds essential > infrastructure to support multiple authentication hashes for more protocols. > Here are some comments: > [spec lines] > I am willing to write a patch for the next CF following more or less those > lines, depending of course on the outcome of the discussion we can have > here, so feel free to comment. OK, attached as 0001 is the patch that respects those lines for the support of multiple password verifiers in system catalogs. I have added a new catalog called pg_auth_verifiers that is used at authentication to fetch a password value depending on the protocol used. With only this patch attached there are two types of verifiers: plain and md5. This new catalog is REVOKE'd like pg_authid (pg_authid could be made readable be this seems sensitive to me so I am not changing it). I have as well done the following things: - Added PASSWORD VERIFIER (md5 = 'hoge', plain = 'hoge') which is used as well by pg_dump all to be able to specify password verifiers one by one. - password check hook has been reworked as mentioned to be able to manage a list of password verifiers instead of a single entry. contrib/passwordcheck has been updated as well. - Added regression tests testing UNENCRYPTED/ENCRYPTED, PASSWORD VERIFIER, PASSWORD, etc. - The patch does not break backward compatibility regarding CREATE ROLE and ALTER ROLE. - password_encryption has been changed to a list with comma-separated elements, for now the possible elements are 'md5' and 'plain'. This breaks backward compatibility, so if we care about it we should consider having a new GUC password_encryption_list or similar. Default is md5, default that does not change backward compatibility. - Added documentation. - pg_shadow has been updated, switching to an array with method:password as elements. > I'll have a look more in-depth at the scram patch as well. The SCRAM patch (0002~0004) has been rebased to use the new facility. I have as well fixed a syscache leak... But I haven't been able to enter much in the details yet. The patch 0001 to add the multiple verifier facility is in a state good enough to get some review, so I am registering an entry for it in the next CF. And I'll continue the work on the SCRAM portion next week, with hopefully a version ready for CF submission. Regards, -- Michael
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed