Re: Password identifiers, protocol aging and SCRAM protocol

Michael Paquier <michael.paquier@gmail.com>

From: Michael Paquier <michael.paquier@gmail.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: David Steele <david@pgmasters.net>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Valery Popov <v.popov@postgrespro.ru>
Date: 2016-03-18T18:07:26Z
Lists: pgsql-hackers
On Sat, Mar 19, 2016 at 12:28 AM, Robert Haas <robertmhaas@gmail.com> wrote:
> On Fri, Mar 18, 2016 at 9:31 AM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> That's not an issue for me to rebase this set of patches. The only
>> conflicts that I anticipate are on 0009, but I don't have high hopes
>> to get this portion integrating into core for 9.6, the rest of the
>> patches is complicated enough, and everyone bandwidth is limited.
>
> I really think we ought to consider pushing this whole thing out to
> 9.7.  I don't see how we're going to get all of this into 9.6, and
> these are big, user-facing changes that I don't think we should rush
> into under time pressure.  I think it'd be better to do this early in
> the 9.7 cycle so that it has time to settle before the time crunch at
> the end.  I predict this is going to have a lot of loose ends that are
> going to take months to settle, and we don't have that time right now.
> And I'd rather see all of the changes in one release than split them
> across two releases.

FWIW, the catalog separation is not that much a complicated patch, and
that's really a change independent on SCRAM, the main matter being to
manage critical index and relation entries correctly and it does not
touch the authentication code, which is what IMO is the sensitive
part. The catalog separation opens the door as well to multiple
verifiers for the same protocol for a single role, facilitating
password rolling policies, which is a feature that has been asked a
lot. Nothing prevents the development of moving validuntil into
pg_auth_verifiers in parallel of the SCRAM for the 9.7 release cycle,
though it would facilitate it to have some basic infra in place. Just
my 2c.
-- 
Michael


Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

  2. Refactor SHA2 functions and move them to src/common/.

  3. Replace isMD5() with a more future-proof way to check if pw is encrypted.

  4. Remove bogus notice that older clients might not work with MD5 passwords.

  5. Refactor the code for verifying user's password.

  6. Replace PostmasterRandom() with a stronger source, second attempt.

  7. Remove support for (insecure) crypt authentication.