Re: SCRAM authentication, take three

On Fri, Apr 07, 2017 at 10:28:59AM +0300, Heikki Linnakangas wrote:
> On 04/07/2017 08:21 AM, Noah Misch wrote:
> >Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with
> >his framing of the problem and provided two syntax alternatives, on
> >2017-01-18. Michael implemented[3] a variation of one of those on 2017-02-20,
> >which you declined in your 2017-03-07 commit with just the explanation quoted
> >above. I say Michael came up with something better five months ago.
>
> OK. My feeling is that we should have a relatively short and
> easy-to-pronounce name for it. People editing pg_hba.conf with a text editor
> will need to type in the keyword, and "scram" is a lot easier to remember
> than "scram-sha-256". The word will also be used in conversations, "hey,
> Noah, can you add example.com to the hba file, with scram, please?" If md5
> had a more difficult name, I think we would've come up with a shorthand for
> it back in the day, too.
>
> I might be wrong, of course. I don't set up PostgreSQL installations for a
> living, so I might be out of touch of what's important.

Likewise, but I've never seen pg_hba.conf edits become a large slice of
PostgreSQL DBA work. Whereas experts can appreciate terse query syntax,
pg_hba.conf syntax gains little from terseness.

> In [1], Michael wrote:
> >There is also the channel binding to think about... So we could have a
> >list of keywords perhaps associated with SASL? Imagine for example:
> >sasl $algo,$channel_binding
> >Giving potentially:
> >sasl scram_sha256
> >sasl scram_sha256,channel
> >sasl scram_sha512
> >sasl scram_sha512,channel
> >In the case of the patch of this thread just the first entry would
> >make sense, once channel binding support is added a second
> >keyword/option could be added. And there are of course other methods
> >that could replace SCRAM..
>
> It should also be possible to somehow specify "use channel binding, if the
> client supports it".
>
> I don't think "sasl" is interesting to a user, it's the actual mechanisms
> (e.g "scram-sha256") that matter. So I'd suggest that we allow a list of
> algorithms in the method field. If we go with the longer "scram-sha-256"
> name, it would look like this:
>
> # TYPE DATABASE USER ADDRESS METHOD
> host all all example.com scram-sha-256-plus,
> scram-sha-256

I agree "sasl" focuses on a less-interesting aspect of the authentication
method. Allowing multiple methods per HBA line may be the better answer, so
long as the policy questions it raises aren't too thorny. Do you allow any
combination of methods or limit it somehow (e.g. only SASL methods)? If the
same option pertains to two methods, do we provide a way to set the option on
just one method? Those don't seem too challenging, though.

> The problem again is that those names are quite long. Is that OK?

Yes.

With this, you could have a meta-method name (e.g. "default") that stands for
all methods generally considered safe. Compare SSL default cipher lists.

> In [2], you wrote:
> >The latest versions document this precisely, but I agree with Peter's concern
> >about plain "scram". Suppose it's 2025 and PostgreSQL support SASL mechanisms
> >OAUTHBEARER, SCRAM-SHA-256, SCRAM-SHA-256-PLUS, and SCRAM-SHA3-512. What
> >should the pg_hba.conf options look like at that time? I don't think having a
> >single "scram" option fits in such a world. I see two strategies that fit:
> >
> >1. Single "sasl" option, with a GUC, similar to ssl_ciphers, controlling the
> > mechanisms to offer.
> >2. Separate options "scram_sha_256", "scram_sha3_512", "oauthbearer", etc.
>
> The example I gave above is like option 2. The problem with option 1 is that
> different SASL mechanisms can have very different properties. You might want
> to allow "NTLM" from a trusted network, but require "OTP" from the public
> internet, for example. So I don't think a single GUC would be flexible
> enough.
>
> That said, a GUC with a more narrow scope might be OK. If we called the
> method in pg_hba.conf "secure_password", and had a GUC to list which
> password-based mechanisms are considered secure, that would be OK. But I
> think we'd still need a separate pg_hba.conf method name for OAUTHBEARER,
> for example.

Michael replied to my message with the idea to use a mechanism= HBA option.
That's better than a GUC.

> PS. If we go with the full names, I think it should "scram-sha-256", rather
> than "scram_sha_256", because the official name uses dashes rather than
> underscores.

Agreed, I don't remember why I wrote underscores. One could argue on that
basis for using uppercase, but I won't.

These are the two chief approaches I'm seeing:

1. scram-sha-256, scram-sha-256-plus, and successors will be their own
pg_hba.conf authentication methods. Until and unless someone implements an
ability to name multiple methods per HBA line, you must choose exactly one
SASL method. The concrete work for v10 would be merely renaming "scram" to
"scram-sha-256".

2. Create a multiplexed authentication method like "sasl" or "scram" (not to
be confused with today's "scram" method, which denotes SCRAM-SHA-256
precisely). The DBA permits concrete methods like scram-sha-256 via HBA
option. Absent that option, the system could default to a reasonable list.

I had been favoring (2), but I'm starting to like (1) more. (2) assumes all
SASL methods or all SCRAM methods have something in common with each other and
not with other methods, and that's not so. For example, one might implement
simultaneous md5 and scram-sha-256. (1) is harder to implement, but we can
defer that work indefinitely.

Thanks,
nm