Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-03-14T13:43:12Z
Lists: pgsql-hackers
On Tue, Mar 14, 2017 at 9:36 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > While looking at the test, I noticed that the SCRAM patch didn't include > support for logging in with plain 'password' authentication, when the user > has a SCRAM verifier stored in pg_authid. That was an oversight. If the > client gives the server the plain password, it's easy for the server to > verify that it matches the SCRAM verifier. Right. I forgot about that.. > Attached patches add the TAP test suite, and implement plain 'password' > authentication for users with SCRAM verifier. Any comments? + /* + * The password looked like a SCRAM verifier, but could not be + * parsed. + */ + elog(LOG, "invalid SCRAM verifier for user \"%s\"", username); This would be sent back to the client, no? I think that you should use *logdetail as well in scram_verify_plain_password. +# This test cannot run on Windows as Postgres cannot be set up with Unix +# sockets and needs to go through SSPI. Yes, true. Having that in its own folder is fine for me. -- Michael
Commits
-
Don't use SCRAM-specific "e=invalid-proof" on invalid password.
- 344a11307988 10.0 landed