From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
---|---|
To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Subject: | Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier |
Date: | 2017-03-14 19:02:48 |
Message-ID: | CAMkU=1w3jQ53M1OeNfN8Cxd9O+A_9VONJivTbYoYRRdRsLT6vA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Mar 14, 2017 at 5:36 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> Hi,
>
> I didn't include the authentication TAP tests that Michael wrote in the
> main SCRAM commit last week. The main issue was that the new test was
> tacked on the src/test/recovery test suite, for lack of a better place. I
> propose that we add a whole new src/test/authentication directory for it.
> It would also be logical to merge src/test/ssl into it, but the SSL test
> suite has some complicated setup steps, to create the certificates, and it
> cannot be safely run on a multi-user system. So probably best to keep it
> separate, after all.
>
> While looking at the test, I noticed that the SCRAM patch didn't include
> support for logging in with plain 'password' authentication, when the user
> has a SCRAM verifier stored in pg_authid. That was an oversight. If the
> client gives the server the plain password, it's easy for the server to
> verify that it matches the SCRAM verifier.
>
I noticed the asymmetry over plain-text passwords, and didn't know if it
was intentional or not. It is somewhat disconcerting that the client will
send a plain-text password to a mis-configured (or mal-configured) server,
but I don't think there is anything this patch series can reasonably do
about that.
>
> Attached patches add the TAP test suite, and implement plain 'password'
> authentication for users with SCRAM verifier. Any comments?
Does what it says, says what it does. There is no installcheck target,
which makes sense because it inherently has to muck around with
pg_hba.conf. The test should be updated to test the syntax for
0001-Add-clause-PASSWORD-val-USING-protocol-to-CREATE-ALT.patch if that
gets committed.
The message returned to the client for the wrong password differs between
pg_hba-set scram and pg_hba-set md5/password methods. Is that OK?
psql: error received from server in SASL exchange: invalid-proof
psql: FATAL: password authentication failed for user "test"
Cheers,
Jeff
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2017-03-14 19:05:29 | Re: logical replication access control patches |
Previous Message | Robert Haas | 2017-03-14 19:02:04 | Re: WAL Consistency checking for hash indexes |