Re: WIP: SCRAM authentication

On Tue, Aug 11, 2015 at 12:49 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
> You're suggesting, then, that the switchover should be relatively easy,
> because drivers will support both MD5 and SCRAM, and once all drivers
> support both, the DBA can just swap verifiers?

Yes, that's what I was imagining would happen. I can't imagine driver
authors wanting to remove support from MD5, because even if SCRAM goes
into 9.6, pre-9.6 servers are going to exist for many years to come,
and people are going to want to talk to them.

It seems to me that the protocol flow should be:

(1) Client sends StartupMessage.

(2) Server checks whether this user has an MD5 password verifier or a
SCRAM password verifier. If the former, it responds with
AuthenticationMD5Password or AuthenticationCleartextPassword just as
it would do today, I guess based on pg_hba.conf. If the latter, it
responds with a new protocol message AuthenticationScram.

So, if you switch the password verifier, the clients will all
automatically begin using SCRAM, because the server will tell them to.
And if they can't, they'll fail.

> That makes sense if drivers go that way. I'm concerned that some
> drivers will have a different call for a SCRAM connection than for an
> MD5 one; we'd want to exert our project influence to prevent that from
> happening.

I'm not sure that would be a disaster, but do any existing drivers
have a different call for a cleartext password
(pg_hba.conf='password') than they do for an MD5 password
(pg_hba.conf='md5')? If not, I'm not sure why they'd add that just
because there is now a third way of doing password-based
authentication.

> That also makes it a bit harder to test the new auth on a few app
> servers before a general rollout, but there's ways around that.

Well, staging servers are a good idea...

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company