| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | Julian Markwort <julian(dot)markwort(at)uni-muenster(dot)de>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Valery Popov <v(dot)popov(at)postgrespro(dot)ru> |
| Subject: | Re: Password identifiers, protocol aging and SCRAM protocol |
| Date: | 2016-03-30 16:14:03 |
| Message-ID: | CA+TgmoahM22VCuNtM-33WE56WCQ59o_jbF0A3VChdwZ4paaesw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Mar 30, 2016 at 9:46 AM, Michael Paquier
<michael(dot)paquier(at)gmail(dot)com> wrote:
>> Things I noticed:
>> 1.
>> when using either
>> CREATE ROLE
>> ALTER ROLE
>> with the parameter
>> ENCRYPTED
>> md5 encryption is always assumed (I've come to realize that UNENCRYPTED
>> always equals plain and, in the past, ENCRYPTED equaled md5 since there were
>> no other options)
>
> Yes, that's to match the current behavior, and make something fully
> backward-compatible. Switching to md5 + scram may have made sense as
> well though.
I think we're not going to have much luck getting people to switch
over to SCRAM if the default remains MD5. Perhaps there should be a
GUC for this - and we can initially set that GUC to md5, allowing
people who are ready to adopt SCRAM to change it. And then in a later
release we can change the default, once we're pretty confident that
most connectors have added support for the new authentication method.
This is going to take a long time to roll out. Alternatively, we
could control it strictly through DDL.
Note that the existing behavior is pretty wonky:
alter user rhaas unencrypted password 'foo'; -> rolpassword foo
alter user rhaas encrypted password 'foo'; -> rolpassword
md5e748797a605a1c95f3d6b5f140b2d528
alter user rhaas encrypted password
'md5e748797a605a1c95f3d6b5f140b2d528'; -> rolpassword
md5e748797a605a1c95f3d6b5f140b2d528
alter user rhaas unencrypted password
'md5e748797a605a1c95f3d6b5f140b2d528'; -> rolpassword
md5e748797a605a1c95f3d6b5f140b2d528
So basically the use of the ENCRYPTED keyword means "if it does
already seem to be the sort of MD5 blob we're expecting, turn it into
that". And we just rely on the format to distinguish between an MD5
verifier and an unencrypted password. Personally, I think a good
start here, and I think you may have something like this in the patch
already, would be to split rolpassword into two columns, say
rolencryption and rolpassword. rolencryption says how the password
verifier is encrypted and rolpassword contains the verifier itself.
Initially, rolencryption will be 'plain' or 'md5', but later we can
add 'scram' as another choice, or maybe it'll be more specific like
'scram-hmac-doodad'. And then maybe introduce syntax like this:
alter user rhaas set password 'raw-unencrypted-passwordt' using
'verifier-method';
alter user rhaas set password verifier 'verifier-goes-here' using
'verifier-method';
That might require making verifier a key word, which would be good to
avoid. Perhaps we could use "password validator" instead?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2016-03-30 16:26:35 | Re: [postgresSQL] [bug] Two or more different types of constraints with same name creates ambiguity while drooping. |
| Previous Message | Tom Lane | 2016-03-30 16:12:08 | Re: [postgresSQL] [bug] Two or more different types of constraints with same name creates ambiguity while drooping. |