Re: Password identifiers, protocol aging and SCRAM protocol

On 3/16/16 9:00 AM, Michael Paquier wrote:

> On Tue, Mar 15, 2016 at 6:38 PM, David Steele <david@pgmasters.net> wrote:
>
>> 1) I see that rolvaliduntil is still in pg_authid:
>> I think that's OK if we now define it to be "role validity" (it's still
>> password validity in the patched docs).  I would also like to see a
>> validuntil column in pg_auth_verifiers so we can track password
>> expiration for each verifier separately.  For now I think it's enough to
>> copy the same validity both places since there can only be one verifier.
> 
> FWIW, this is an intentional change, and my goal is to focus on only
> the protocol aging for now. We will need to move rolvaliduntil to
> pg_auth_verifiers if we want to allow rolling updates of password
> verifiers for a given role, but that's a different patch, and we need
> to think about the SQL interface carefully. This infrastructure makes
> the move easier by the way to do that, and honestly I don't really see
> what we gain now by copying the same value to two different system
> catalogs.

Here's my thinking.  If validuntil is moved to pg_auth_verifiers now
then people can start using it there.  That will make it less traumatic
when/if validuntil in pg_authid is removed later.  The field in
pg_authid could be deprecated in this release to let people know not to
use it.

Or, as I suggested it could be recast as role validity, which right now
happens to be the same as password validity.

>> 2) I don't think the column naming in pg_auth_verifiers is consistent
>> with other catalogs:
>> postgres=# select * from pg_auth_verifiers;
>>  roleid | verimet |               verival
>> --------+---------+-------------------------------------
>>   16387 | m       | md505a671c66aefea124cc08b76ea6d30bb
>>   16388 | p       | testu
>>
>> System catalogs generally use a 3 character prefix so I would expect the
>> columns to be (if we pick avr as a prefix):
> 
> OK, this makes sense.
> 
>> avrrole
>> avrmethod
>> avrverifier
> 
> Assuming "ver" is the prefix, we get: verroleid, vermethod, vervalue.
> I kind of like those ones, more than with "avr" as prefix actually.
> Other ideas are of course welcome.

ver is fine as a prefix.

>> 3) rolpassword is still in pg_shadow even though it is not useful anymore:
>> postgres=# select usename, passwd, valuntil from pg_shadow;
>>
>>  usename |  passwd  |        valuntil
>> ---------+----------+------------------------
>>  vagrant | ******** |
>>  test    | ******** |
>>  testu   | ******** | 2017-01-01 00:00:00+00
>>
>> If anyone is actually using this column in a meaningful way they are in
>> for a nasty surprise when trying use the value in passwd as a verifier.
>>  I would prefer to drop the column entirely and produce a clear error.
>>
>> Perhaps a better option would be to drop pg_shadow entirely since it
>> seems to have no further purpose in life.
> 
> We discussed that on the previous thread and the conclusion was to
> keep pg_shadow, but to clobber the password value with "***",
> explaining this choice:
> http://www.postgresql.org/message-id/6174.1455501497@sss.pgh.pa.us

Ah, I missed that one.

-- 
-David
david@pgmasters.net