Re: scram and \password

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Simon Riggs <simon(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Joe Conway <mail(at)joeconway(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: scram and \password
Date: 2017-04-18 08:25:53
Message-ID: fa6cec54-4fa9-756d-53be-a5ba3d03d881@iki.fi
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers

On 04/18/2017 11:15 AM, Simon Riggs wrote:
> As a potential open item, if we treat "md5" as ">= md5"
> should we not also treat "password" as ">=password"?
>
> It seems strange that we still support "password" and yet tell
> everyonenot to use it.
>
> I'd like PG10 to be the version where I don't have to tell people not
> to use certain things, hash indexes, "password" etc.

Between md5 and scram, the choice is easy, because a user can only have
an MD5 hashed or SCRAM "hashed" password in pg_authid. So you present
the client an MD5 challenge or a SCRAM challenge, depending on what the
user has in pg_authid, or you error out without even trying. But
"password" authentication can be used with any kind of a verifier in
pg_authid. "password" authentication can be useful, for example, if a
user has a SCRAM verifier in pg_authid, but the client doesn't support
SCRAM.

You could argue that you shouldn't use it even in that situation, you
should upgrade the client, or use SSL certs or an ssh tunnel or
something else instead. But that's a very different argument than the
one for treating "md5" as ">= md5".

Also note that LDAP and RADIUS authentication look identical to
"password" authentication, on the wire. The only difference is that
instead of checking the password against pg_authid, the server checks it
against an LDAP or RADIUS server.

- Heikki

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Kang Yuzhe 2017-04-18 08:33:17 Re: On How To Shorten the Steep Learning Curve Towards PG Hacking...
Previous Message Pavan Deolasee 2017-04-18 08:25:17 Re: Patch: Write Amplification Reduction Method (WARM)