| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Simon Riggs <simon(at)2ndquadrant(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Letting the client choose the protocol to use during a SASL exchange |
| Date: | 2017-04-11 06:50:59 |
| Message-ID: | 239ed1f3-b4bd-9810-4bb9-2a41746e6732@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 04/10/2017 11:03 PM, Álvaro Hernández Tortosa wrote:
> Channel binding needs to specify actually three things:
> - The mechanism, which is indeed suffixed "-PLUS".
> - The channel binding name, which is described here:
> https://tools.ietf.org/html/rfc5056. Types are also IANA-registered (see
> https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml)
> SCRAM mandates to implement 'tls-unique', but other channel binding
> types could be supported (like 'tls-server-end-point' for example).
> - The channel binding data, which is channel binding mechanism
> dependent, and is sent as part of the client last message.
>
> What I'm talking about here is the second one, the channel binding
> type (name).
Oh, I see. According to the SCRAM RFC, "tls-unique" is used by default.
I don't see us implementing anything else any time soon. PostgreSQL
doesn't support any other "channel type" than TLS, and tls-unique is the
only one that makes sense for TLS.
If we do need it after all, the server could advertise the additional
channel binding types as additional SASL mechanisms in the
AuthenticationSASL message, maybe something like:
"SCRAM-SHA-256"
"SCRAM-SHA-256-PLUS" (for tls-unique)
"SCRAM-SHA-256-PLUS ssh-unique" (for hypothetical ssh channel binding)
The same trick can be used to advertise any other SASL mechanism
specific options, if needed in the future.
>> I'm not sure I follow. The username is sent from client to server, and
>> currently, the server will ignore it. If you're writing a client
>> library, it can send whatever it wants. (Although again I would
>> recommend an empty string, to avoid confusion. Sending the same
>> username as in the startup packet, as long as it's in UTF-8, seems
>> reasonable too.)
>
> OK, understood. I will not let then the SCRAM implementation I'm
> writing to allow for empty string as the user name, but in the pgjdbc
> glue code send "ignore" as the user name or something like that ;P
Hmm, so the SASL library you're using doesn't like sending an empty
string as the username? Now that I look at RFC5802 more closely, it says:
> If the preparation of the username fails or results in an empty
> string, the server SHOULD abort the authentication exchange.
Perhaps we should reserve a magic user name to mean "same as startup
message", in addition or instead of the empty string. We actually
discussed that already at [1], but we forgot about it since.
[1] https://www.postgresql.org/message-id/551A8C2F.7050409%40iki.fi
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabien COELHO | 2017-04-11 06:56:53 | Re: Variable substitution in psql backtick expansion |
| Previous Message | Pavel Stehule | 2017-04-11 06:49:11 | Re: Variable substitution in psql backtick expansion |