Re: scram and \password

On 18 April 2017 at 09:25, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> On 04/18/2017 11:15 AM, Simon Riggs wrote:
>>
>> As a potential open item, if we treat "md5" as ">= md5"
>> should we not also treat "password" as ">=password"?
>>
>> It seems strange that we still support "password" and yet tell
>> everyonenot to use it.
>>
>> I'd like PG10 to be the version where I don't have to tell people not
>> to use certain things, hash indexes, "password" etc.
>
>
> Between md5 and scram, the choice is easy, because a user can only have an
> MD5 hashed or SCRAM "hashed" password in pg_authid. So you present the
> client an MD5 challenge or a SCRAM challenge, depending on what the user has
> in pg_authid, or you error out without even trying. But "password"
> authentication can be used with any kind of a verifier in pg_authid.
> "password" authentication can be useful, for example, if a user has a SCRAM
> verifier in pg_authid, but the client doesn't support SCRAM.

Which would be a little strange and defeat the purpose of SCRAM.

> You could argue that you shouldn't use it even in that situation, you should
> upgrade the client, or use SSL certs or an ssh tunnel or something else
> instead. But that's a very different argument than the one for treating
> "md5" as ">= md5".
>
> Also note that LDAP and RADIUS authentication look identical to "password"
> authentication, on the wire. The only difference is that instead of checking
> the password against pg_authid, the server checks it against an LDAP or
> RADIUS server.

So the argument is multiple things are dangerous so we do nothing...

We have an opportunity to change things because its PG10, so lets not
waste the opportunity.

Thanks very much for working on SCRAM, its a good feature.

--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services