From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Noah Misch <noah(at)leadboat(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: scram and \password |
Date: | 2017-04-11 19:07:12 |
Message-ID: | 56f6c214-f433-3758-7753-3081963b45a9@iki.fi |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 04/10/2017 08:42 AM, Michael Paquier wrote:
> As there have been some conflicts because of the commit of SASLprep,
> here is a rebased set of patches. A couple of things worth noting:
> - SASLprep does an allocation of the prepared password string. It is
> definitely better to do all the ground work in pg_saslprep but this
> costs a free() call with a #ifdef FRONTEND at the end of
> scram_build_verifier().
> - Patch 0005 does that:
> + /*
> + * Hash password using SCRAM-SHA-256 when connecting to servers
> + * newer than Postgres 10, and hash with MD5 otherwise.
> + */
> + if (pset.sversion < 100000)
> + encrypted_password = PQencryptPassword(pw1, user, "md5");
> + else
> + encrypted_password = PQencryptPassword(pw1, user, "scram");
> Actually I am thinking that guessing the hashing function according to
> the value of password_encryption would make the most sense. Thoughts?
Thanks! I've been busy on the other thread on future-proofing the
protocol with negotiating the SASL mechanism, I'll come back to this
once we get that settled. By the end of the week, I presume.
Not sure about the password-encryption thing, there are good arguments
for either behavior..
- Heikki
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2017-04-11 19:10:07 | Re: [sqlsmith] ERROR: badly formatted node string "RESTRICTINFO... |
Previous Message | Claudio Freire | 2017-04-11 19:04:44 | Re: Vacuum: allow usage of more than 1GB of work mem |