From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Magnus Hagander <magnus(at)hagander(dot)net>, Noah Misch <noah(at)leadboat(dot)com>, Aleksander Alekseev <a(dot)alekseev(at)postgrespro(dot)ru>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SCRAM authentication, take three |
Date: | 2017-04-07 22:32:57 |
Message-ID: | CAB7nPqRkvOaacg+Bu8rtJbcPXU2T7AUDOg-9AdZHnuJ4_X+ePw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>> I think the "SCRAM" part is more important than "SHA-256", so -1 on that.
>
> I agree. The point here isn't that we're using a better hashing
> method, even if a lot of people *think* that's the point. The point
> is we're using a modern algorithm that has nice properties like "you
> can't impersonate the client by steeling the verifier, or even by
> snooping the exchange".
>
> But "sasl" might be even better.
FWIW, my opinion has not changed much on the matter, I would still
favor "sasl" as the keyword used in pg_hba.conf. What has changed in
my mind though is that defining no mechanisms with an additional
option mean that all possible choices are sent to the client. But if
you define a list of mechanisms, then we'll just send back to the
client the specified list as a possible choice of exchange mechanism:
host all all blah.com sasl mechanism=scram-sha-256-plus
Here for example the user would not be allowed to use SCRAM-SHA-256,
just SCRAM with channel binding.
Such an option makes sense once we add support for one more mechanism
in SASL, like channel binding, but that's by far a generic approach
that can serve us for years to come, and by admitting that nothing
listed means all possible options we don't need any immediate action.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2017-04-07 22:34:51 | Re: monitoring.sgml missing tag |
Previous Message | Alvaro Herrera | 2017-04-07 22:30:57 | Re: mvstats triggers 32bit warnings |