Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol
| От | Michael Paquier |
|---|---|
| Тема | Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol |
| Дата | |
| Msg-id | CAB7nPqTi5jC_AbVMOGidrVy1z6t3v==vWFvdNMxnQEN-WsutKg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol (Heikki Linnakangas <hlinnaka@iki.fi>) |
| Ответы |
pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers,protocol aging and SCRAM protocol)
|
| Список | pgsql-hackers |
On Fri, Dec 9, 2016 at 5:11 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > Couple of things I should write down before I forget: > > 1. It's a bit cumbersome that the scram verifiers stored in > pg_authid.rolpassword don't have any clear indication that they're scram > verifiers. MD5 hashes are readily identifiable by the "md5" prefix. I think > we should use a "scram-sha-256:" for scram verifiers. scram-sha-256 would make the most sense to me. > Actually, I think it'd be awfully nice to also prefix plaintext passwords > with "plain:", but I'm not sure it's worth breaking the compatibility, if > there are tools out there that peek into rolpassword. Thoughts? pgbouncer is the only thing coming up in mind. It looks at pg_shadow for password values. pg_dump'ing data from pre-10 instances will also need to adapt. I see tricky the compatibility with the exiting CREATE USER PASSWORD command though, so I am wondering if that's worth the complication. > 2. It's currently not possible to use the plaintext "password" > authentication method, for a user that has a SCRAM verifier in rolpassword. > That seems like an oversight. We can't do MD5 authentication with a SCRAM > verifier, but "password" we could. Yeah, that should be possible... -- Michael
В списке pgsql-hackers по дате отправления: