| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Aleksander Alekseev <a(dot)alekseev(at)postgrespro(dot)ru>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, magnus(at)hagander(dot)net, robertmhaas(at)gmail(dot)com |
| Subject: | Re: SCRAM authentication, take three |
| Date: | 2017-04-18 11:52:28 |
| Message-ID: | fedd7216-5a5e-f6e5-296e-dc03d3a9eeea@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 04/14/2017 10:33 PM, Peter Eisentraut wrote:
> On 4/11/17 01:10, Heikki Linnakangas wrote:
>> That question won't arise in practice. Firstly, if the server can do
>> scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless
>> there's a change in the way the channel binding works, such that the
>> scram-sha-512-plus variant needs a newer version of OpenSSL or
>> something. Secondly, the user's pg_authid row will contain a
>> SCRAM-SHA-256 or SCRAM-SHA-512 verifier, not both, so that will dictate
>> which one to use.
>
> Right. So putting the actual password method in pg_hba.conf isn't going
> to be useful very often.
>
> I think the most practical thing that the user wants in pg_hba.conf is
> "best password method supported by what is in pg_authid". This is
> currently spelled "md5", which is of course pretty weird. And it will
> become weirder over time.
>
> I think we want to have a new keyword in pg_hba.conf for that, one which
> does not indicate any particular algorithm or method (so not "scram" or
> "sasl").
>
> We could use "password". If we think that "md5" can mean md5-or-beyond,
> then maybe "password" can mean password-or-md5-or-beyond.
>
> Or otherwise a completely new word.
>
> We also want to give users/admins a way to phase out old methods or set
> some policy. We could either make a global GUC setting
> password_methods='md5 scram-sha-256' and/or make that an option in
> pg_hba.conf past the method field.
Yeah, that would be reasonable. It can't be called just "password",
though, because there's no way to implement "password-or-md5-or-scram"
in a sensible way (see my reply to Simon at [1]). Unless we remove the
support for what "password" does today altogether, and redefine
"password" to mean just "md5-or-beyond". Which might not be a bad idea,
but that's a separate discussion.
In any case, I think we would probably still need more fine-grained
control, too, so we would still need to have "scram-sha-256" as a method
you can specify directly in pg_hba.conf. So I consider this as a
separate, new, feature that we can add in the future, if it seems worth
the effort.
I've committed a simple renaming of "scram" to "scram-sha-256", as the
pg_hba.conf and password_encryption option. I think that will do for v10.
[1]
https://www.postgresql.org/message-id/fa6cec54-4fa9-756d-53be-a5ba3d03d881@iki.fi
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2017-04-18 11:58:28 | Re: SCRAM authentication, take three |
| Previous Message | Stas Kelvich | 2017-04-18 11:45:46 | Logical replication ApplyContext bloat |