Re: Password identifiers, protocol aging and SCRAM protocol

Michael Paquier <michael.paquier@gmail.com>

From: Michael Paquier <michael.paquier@gmail.com>
To: Valery Popov <v.popov@postgrespro.ru>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, david@pgmasters.net
Date: 2016-03-15T15:59:06Z
Lists: pgsql-hackers
On Tue, Mar 15, 2016 at 3:46 PM, Valery Popov wrote:
> make installcheck-world failed on several contrib modules:
> dblink, file_fdw, hstore, pgcrypto, pgstattuple, postgres_fdw, tablefunc.
> The tests results are attached.
> Documentation looks good.
> Where may be a problem with make check-world and make installcheck-world
> results?

I cannot reproduce this, and my guess is that the binaries of those
contrib/ modules are not up to date for the installed instance of
Postgres you are running the tests on. Particularly I find this
portion doubtful:

  SELECT avg(normal_rand)::int FROM normal_rand(100, 250, 0.2);
! server closed the connection unexpectedly
! This probably means the server terminated abnormally
! before or while processing the request.
! connection to server was lost

The set of patches I am proposing here does not go through those code
paths, and this is likely an aggregate failure.
-- 
Michael


Commits

  1. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

  2. Refactor SHA2 functions and move them to src/common/.

  3. Replace isMD5() with a more future-proof way to check if pw is encrypted.

  4. Remove bogus notice that older clients might not work with MD5 passwords.

  5. Refactor the code for verifying user's password.

  6. Replace PostmasterRandom() with a stronger source, second attempt.

  7. Remove support for (insecure) crypt authentication.