Re: [HACKERS] SCRAM authentication, take three
| От | Heikki Linnakangas |
|---|---|
| Тема | Re: [HACKERS] SCRAM authentication, take three |
| Дата | |
| Msg-id | fedd7216-5a5e-f6e5-296e-dc03d3a9eeea@iki.fi обсуждение исходный текст |
| Ответ на | Re: [HACKERS] SCRAM authentication, take three (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>) |
| Ответы |
Re: [HACKERS] SCRAM authentication, take three
|
| Список | pgsql-hackers |
On 04/14/2017 10:33 PM, Peter Eisentraut wrote: > On 4/11/17 01:10, Heikki Linnakangas wrote: >> That question won't arise in practice. Firstly, if the server can do >> scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless >> there's a change in the way the channel binding works, such that the >> scram-sha-512-plus variant needs a newer version of OpenSSL or >> something. Secondly, the user's pg_authid row will contain a >> SCRAM-SHA-256 or SCRAM-SHA-512 verifier, not both, so that will dictate >> which one to use. > > Right. So putting the actual password method in pg_hba.conf isn't going > to be useful very often. > > I think the most practical thing that the user wants in pg_hba.conf is > "best password method supported by what is in pg_authid". This is > currently spelled "md5", which is of course pretty weird. And it will > become weirder over time. > > I think we want to have a new keyword in pg_hba.conf for that, one which > does not indicate any particular algorithm or method (so not "scram" or > "sasl"). > > We could use "password". If we think that "md5" can mean md5-or-beyond, > then maybe "password" can mean password-or-md5-or-beyond. > > Or otherwise a completely new word. > > We also want to give users/admins a way to phase out old methods or set > some policy. We could either make a global GUC setting > password_methods='md5 scram-sha-256' and/or make that an option in > pg_hba.conf past the method field. Yeah, that would be reasonable. It can't be called just "password", though, because there's no way to implement "password-or-md5-or-scram" in a sensible way (see my reply to Simon at [1]). Unless we remove the support for what "password" does today altogether, and redefine "password" to mean just "md5-or-beyond". Which might not be a bad idea, but that's a separate discussion. In any case, I think we would probably still need more fine-grained control, too, so we would still need to have "scram-sha-256" as a method you can specify directly in pg_hba.conf. So I consider this as a separate, new, feature that we can add in the future, if it seems worth the effort. I've committed a simple renaming of "scram" to "scram-sha-256", as the pg_hba.conf and password_encryption option. I think that will do for v10. [1] https://www.postgresql.org/message-id/fa6cec54-4fa9-756d-53be-a5ba3d03d881@iki.fi - Heikki
В списке pgsql-hackers по дате отправления: