Re: Successor of MD5 authentication, let's use SCRAM

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
Subject: Re: Successor of MD5 authentication, let's use SCRAM
Date: 2012-10-23 16:53:14
Message-ID: 5086CB7A.5040406@gmx.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 10/22/12 1:25 PM, Stephen Frost wrote:
> * Peter Eisentraut (peter_e(at)gmx(dot)net) wrote:
>> On 10/12/12 3:44 PM, Stephen Frost wrote:
>>> In general, I think it's good to build on existing implementations where
>>> possible. Perhaps we could even consider using something which already
>>> exists for this?
>>
>> Sounds like SASL to me.
>
> aiui, that would allow us to support SCRAM and we could support
> Kerberos/GSSAPI under SASL as well... Not sure how comfortable folks
> would be with moving to that though.

Considering all the design and implementation challenges that have been
brought up in this thread:

- not using MD5

- not using whatever we replace MD5 with when that gets broken

- content of pg_shadow can be used to log in

- questions about salt collisions

- making the hash more expensive

- negotiating how much more expensive, allowing changes in the future

- using HMAC to guard against length-extension attacks

- support for poolers/proxies

I think I would be less comfortable with a hand-crafted solution to each
of these issues, and would be more comfortable with using an existing
solution that, from the look of it, already does all of that, and which
is used by mail and LDAP servers everywhere.

That said, I don't have any experience programming SASL clients or
servers, only managing existing implementations. But I'd say it's
definitely worth a look.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2012-10-23 17:56:26 Re: [PATCH] Support for Array ELEMENT Foreign Keys
Previous Message Robert Haas 2012-10-23 16:47:48 Re: [RFC] CREATE QUEUE (log-only table) for londiste/pgQ ccompatibility