Re: [PoC/RFC] Multiple passwords, interval expirations

Greetings,

On Fri, Jul 1, 2022 at 10:51 Brindle, Joshua <joshuqbr(at)amazon(dot)com> wrote:

>
> On 6/30/22 8:20 PM, Stephen Frost wrote:
> > * Gurjeet Singh (gurjeet(at)singh(dot)im) wrote:
> >> I am planning on picking it up next week; right now picking up steam,
> >> and reviewing a different, smaller patch.
> > Great! Glad that others are interested in this.
> >
> >> At his behest, I had a conversation with Joshua (OP), and have his
> >> support to pick up and continue working on this patch. I have a some
> >> ideas of my own, on what this patch should do, but since I haven't
> >> fully reviewed the (bulky) patch, I'll reserve my proposals until I
> >> wrap my head around it.
> > I'd be curious as to your thought as to what the patch should be doing.
> > Joshua and I had discussed it at some length as he was working on it.
>
>
> Adding myself to the CC list here /waves

Hi!

I gave Gurjeet a bit of a brain dump on what I had planned (and what
> we'd talked about), though he's free to take it in a different direction
> if he wants.

Perhaps though would certainly like this to patch to be useful for the
use-cases that we had discussed, naturally. :)

>> Please expect some activity on this patch towards the end of next week.
> > I've gone ahead and updated it, cleaned up a couple things, and make it
> > so that check-world actually passes with it. Attached is an updated
> > version and I'll add it to the July commitfest.
>
> Ah, thanks. Hopefully it wasn't too horrible of a rebase.

Wasn’t too bad.. needs more clean-up, there was some white space issues and
some simple re-base stuff, but then the support for “md5” pg_hba option was
broken for users with SCRAM passwords because we weren’t checking if there
was a SCRAM pw stored and upgrading to SCRAM in that case. That’s the main
case that I fixed. We will need to document this though, of course. The
patch I submitted should basically do:

pg_hba md5 + md5-only pws -> md5 auth used
pg_hba md5 + scram-only pws -> scram
pg_hba md5 + md5 and scram pws -> scram
pg_hba scram -> scram

Not sure if we need to try and do something to make it possible to have
pg_hba md5 + mixed pws and have md5 used but it’s tricky as we would have
to know on the server side early on if that’s what we want to do. We could
add an option to md5 to say “only do md5” maybe but I’m also inclined to
not bother and tell people to just get moved to scram already.

For my 2c, I’d also like to move to having a separate column for the PW
type from the actual secret but that’s largely an independent change.

Thanks!

Stephen

>