Re: Password identifiers, protocol aging and SCRAM protocol

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Julian Markwort <julian(dot)markwort(at)uni-muenster(dot)de>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Valery Popov <v(dot)popov(at)postgrespro(dot)ru>
Subject: Re: Password identifiers, protocol aging and SCRAM protocol
Date: 2016-07-02 19:54:09
Message-ID: 753ff453-b6b6-56c6-9b73-8190731a5f87@iki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

So, the consensus so far seems to be: We don't want the support for
multiple password verifiers per user. At least not yet. Let's get SCRAM
working first, in a way that a user can only have SCRAM or an MD5 hash
stored in the database, not both. We can add support for multiple
verifiers per user, password aging, etc. later. Hopefully we'll make
some progress on those before 9.7 is released, too, but let's treat them
as separate issues and focus on SCRAM.

I took a quick look at the patch set now again, and except that it needs
to have the multiple password verifier support refactored out, I think
it's in a pretty good shape. I don't like the pg_upgrade changes and its
support function, that also seems like an orthogonal or add-on feature
that would be better discussed separately. I think pg_upgrade should
just do the upgrade with as little change to the system as possible, and
let the admin reset/rehash/deprecate the passwords separately, when she
wants to switch all users to SCRAM. So I suggest that we rip out those
changes from the patch set as well.

In related news, RFC 7677 that describes a new SCRAM-SHA-256
authentication mechanism, was published in November 2015. It's identical
to SCRAM-SHA-1, which is what this patch set implements, except that
SHA-1 has been replaced with SHA-256. Perhaps we should forget about
SCRAM-SHA-1 and jump straight to SCRAM-SHA-256.

RFC 7677 also adds some verbiage, in response to vulnerabilities that
have been found with the "tls-unique" channel binding mechanism:

> To be secure, either SCRAM-SHA-256-PLUS and SCRAM-SHA-1-PLUS MUST be
> used over a TLS channel that has had the session hash extension
> [RFC7627] negotiated, or session resumption MUST NOT have been used.

So that doesn't affect details of the protocol per se, but once we
implement channel binding, we need to check for those conditions somehow
(or make sure that OpenSSL checks for them).

Michael, do you plan to submit a new version of this patch set for the
next commitfest? I'd like to get this committed early in the 9.7 release
cycle, so that we have time to work on all the add-on stuff before the
release.

- Heikki

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2016-07-02 22:10:02 Re: [COMMITTERS] pgsql: Avoid extra locks in GetSnapshotData if old_snapshot_threshold <
Previous Message Kevin Grittner 2016-07-02 19:20:13 Re: [COMMITTERS] pgsql: Avoid extra locks in GetSnapshotData if old_snapshot_threshold <