Re: scram and \password

On 04/05/2017 06:53 PM, Robert Haas wrote:
> On Sat, Mar 25, 2017 at 1:10 AM, Michael Paquier
> <michael(dot)paquier(at)gmail(dot)com> wrote:
>> On Fri, Mar 24, 2017 at 10:12 PM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>>> On 03/24/2017 03:02 PM, Michael Paquier wrote:
>>>>
>>>> In order to close this thread, I propose to reuse the patches I sent
>>>> here to make scram_build_verifier() available to frontends:
>>>>
>>>> https://www.postgresql.org/message-id/CAB7nPqT4yc3u8wspYkWbG088Ndp6asMH3=Zb___Ck89CTvziYQ@mail.gmail.com
>>>>
>>>> And on top of it modify \password so as it generates a md5 verifier
>>>> for pre-9.6 servers and a scram one for post-10 servers by looking at
>>>> the backend version of the current connection. What do you think?
>>>
>>> Yep, sounds like a plan.
>>
>> And attached is a set of rebased patches, with createuser and psql's
>> \password extended to do that.
>
> Heikki, are you going to do something about these? We're running out of time.

Sorry I've been procrastinating. I'm on it now. (We need to do something
about this, feature freeze or not..)

At a quick glance, moving pg_frontend_random() to src/common looks like
a non-starter. It uses pglock_thread() which is internal to libpq, so it
won't compile as it is. I think I'm going to change
scram_build_verifier() to take a pre-generated salt as argument, to
avoid the need for a random number generator in src/common.

- Heikki