| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: Successor of MD5 authentication, let's use SCRAM |
| Date: | 2013-09-12 14:30:21 |
| Message-ID: | 5231CFFD.5020605@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 09/12/2013 09:10 AM, Heikki Linnakangas wrote:
>
>
> Now, to a completely different approach:
>
> I just found out that OpenSSL has added support for SRP in version
> 1.0.1. We're already using OpenSSL, so all we need to do is to provide
> a couple of callbacks to OpenSSL, and store SRP verifiers in pg_authid
> instead of MD5 hashes, and we're golden.
>
> Well, not quite. There's one little problem: Currently, we first
> initialize SSL, then read the startup packet which contains the
> username and database to connect to. After that, we initialize
> database access to the specified database, and only then we proceed
> with authentication. That's not a problem for certificate
> authentication, because certificate authentication doesn't require any
> database access, but if we are to store the SRP verifiers in
> pg_authid, we'll need to database access much earlier. Before we know
> which database to connect to.
>
>
You forgot to mention that we'd actually like to get away from being
tied closely to OpenSSL because it has caused license grief in the past
(not to mention that it's fairly dirty to manage).
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2013-09-12 14:35:12 | Re: Protocol forced to V2 in low-memory conditions? |
| Previous Message | Heikki Linnakangas | 2013-09-12 13:10:33 | Re: Successor of MD5 authentication, let's use SCRAM |