| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier |
| Date: | 2017-03-14 13:43:12 |
| Message-ID: | CAB7nPqReLLqUL7XPZ0K7L2T5XbvCnZSC_Ji+TOPqA=YFedKoiw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Mar 14, 2017 at 9:36 PM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> While looking at the test, I noticed that the SCRAM patch didn't include
> support for logging in with plain 'password' authentication, when the user
> has a SCRAM verifier stored in pg_authid. That was an oversight. If the
> client gives the server the plain password, it's easy for the server to
> verify that it matches the SCRAM verifier.
Right. I forgot about that..
> Attached patches add the TAP test suite, and implement plain 'password'
> authentication for users with SCRAM verifier. Any comments?
+ /*
+ * The password looked like a SCRAM verifier, but could not be
+ * parsed.
+ */
+ elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
This would be sent back to the client, no? I think that you should use
*logdetail as well in scram_verify_plain_password.
+# This test cannot run on Windows as Postgres cannot be set up with Unix
+# sockets and needs to go through SSPI.
Yes, true. Having that in its own folder is fine for me.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Steele | 2017-03-14 13:45:45 | Re: logical decoding of two-phase transactions |
| Previous Message | Ashutosh Bapat | 2017-03-14 13:05:24 | Re: dropping partitioned tables without CASCADE |