From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Noah Misch <noah(at)leadboat(dot)com> |
Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: scram and \password |
Date: | 2017-04-10 05:42:50 |
Message-ID: | CAB7nPqSbsCBCxy8-DtwzRxYgTnbGUtY4uFEkLQhG=R=uo=g8Fw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Apr 10, 2017 at 12:53 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Apr 05, 2017 at 08:11:25PM +0300, Heikki Linnakangas wrote:
>> >Heikki, are you going to do something about these? We're running out of time.
>>
>> Sorry I've been procrastinating. I'm on it now. (We need to do something
>> about this, feature freeze or not..)
As there have been some conflicts because of the commit of SASLprep,
here is a rebased set of patches. A couple of things worth noting:
- SASLprep does an allocation of the prepared password string. It is
definitely better to do all the ground work in pg_saslprep but this
costs a free() call with a #ifdef FRONTEND at the end of
scram_build_verifier().
- Patch 0005 does that:
+ /*
+ * Hash password using SCRAM-SHA-256 when connecting to servers
+ * newer than Postgres 10, and hash with MD5 otherwise.
+ */
+ if (pset.sversion < 100000)
+ encrypted_password = PQencryptPassword(pw1, user, "md5");
+ else
+ encrypted_password = PQencryptPassword(pw1, user, "scram");
Actually I am thinking that guessing the hashing function according to
the value of password_encryption would make the most sense. Thoughts?
--
Michael
VMware vCenter server
www.vmware.com
Attachment | Content-Type | Size |
---|---|---|
0001-Use-base64-based-encoding-for-stored-and-server-keys.patch | application/octet-stream | 9.5 KB |
0002-Move-routine-to-build-SCRAM-verifier-into-src-common.patch | application/octet-stream | 10.5 KB |
0003-Refactor-frontend-side-random-number-generation.patch | application/octet-stream | 6.5 KB |
0004-Extend-PQencryptPassword-with-a-hashing-method.patch | application/octet-stream | 5.5 KB |
0005-Extend-psql-s-password-and-createuser-to-handle-SCRA.patch | application/octet-stream | 4.4 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2017-04-10 05:57:26 | Re: SCRAM authentication, take three |
Previous Message | Masahiko Sawada | 2017-04-10 05:16:02 | max_sync_workers_per_subscription is missing in postgresql.conf |