Re: Password identifiers, protocol aging and SCRAM protocol
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, David Steele <david@pgmasters.net>, Robert Haas <robertmhaas@gmail.com>, David Fetter <david@fetter.org>, Alvaro Herrera <alvherre@2ndquadrant.com>,
Magnus Hagander <magnus@hagander.net>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Julian Markwort <julian.markwort@uni-muenster.de>,
Stephen Frost <sfrost@snowman.net>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>,
Valery Popov <v.popov@postgrespro.ru>
Date: 2016-08-19T06:46:50Z
Lists: pgsql-hackers
Attachments
- 0001-Bundle-md5.c-into-src-common.patch (text/x-patch) patch 0001
- 0002-Move-ip.c-from-src-backend-libpq-to-src-common.patch (text/x-patch) patch 0002
On Fri, Aug 19, 2016 at 1:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > On 08/18/2016 03:45 PM, Michael Paquier wrote: >> >> On Thu, Aug 18, 2016 at 9:28 PM, Heikki Linnakangas <hlinnaka@iki.fi> >> wrote: >> For the current ip.c, I don't have a better idea than putting in >> src/common/ip.c the set of routines used by both the frontend and >> backend, and have fe_ip.c the new file that has the frontend-only >> things. Need a patch? > > > Yes, please. I don't think there's anything there that's needed by only the > frontend, but some of the functions are needed by only the backend. So I > think we'll end up with src/common/ip.c, and src/backend/libpq/be-ip.c. (Not > sure about those names, pick something that makes sense, given what's left > in the files.) OK, so let's do that first correctly. Attached are two patches: - 0001 moves md5 to src/common - 0002 that does the same for ip.c. By the way, it seems to me that having be-ip.c is not that much worth it. I am noticing that only pg_range_sockaddr could be marked as backend-only. pg_foreach_ifaddr is being used as well by tools/ifaddrs/, and this one calls as well pg_sockaddr_cidr_mask. Or is there still some utility in having src/tools/ifaddrs? If not we could move pg_sockaddr_cidr_mask and pg_foreach_ifaddr to be backend-only. With pg_range_sockaddr that would make half the routines to be marked as backend-only. I have not rebased the whole series yet of SCRAM... I'll do that after we agree on those two patches with the two commits you have already done cleaned up of course (thanks btw for those ones!). -- Michael
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed
-
Refactor SHA2 functions and move them to src/common/.
- 273c458a2b3a 10.0 landed
-
Replace isMD5() with a more future-proof way to check if pw is encrypted.
- dbd69118c05d 10.0 landed
-
Remove bogus notice that older clients might not work with MD5 passwords.
- 7e3ae5455948 9.2.20 landed
- 470af1f41c8b 9.3.16 landed
- ada2cdb61015 9.4.11 landed
- 65a7f190b253 9.5.6 landed
- 7546c135dc30 9.6.2 landed
- 31c54096a18f 10.0 landed
-
Refactor the code for verifying user's password.
- e7f051b8f9a6 10.0 landed
-
Replace PostmasterRandom() with a stronger source, second attempt.
- fe0a0b5993df 10.0 landed
-
Remove support for (insecure) crypt authentication.
- 53a5026b5cb3 8.4.0 cited