Re: [HACKERS] SCRAM in the PG 10 release notes
От | Alvaro Hernandez |
---|---|
Тема | Re: [HACKERS] SCRAM in the PG 10 release notes |
Дата | |
Msg-id | 621c5aad-2394-0234-52c6-a380ee7996bc@ongres.com обсуждение исходный текст |
Ответ на | Re: [HACKERS] SCRAM in the PG 10 release notes (Heikki Linnakangas <hlinnaka@iki.fi>) |
Ответы |
Re: [HACKERS] SCRAM in the PG 10 release notes
(Dave Cramer <pg@fastcrypt.com>)
|
Список | pgsql-hackers |
On 14/09/17 08:57, Heikki Linnakangas wrote: > On 09/12/2017 04:09 AM, Noah Misch wrote: >> On Wed, May 10, 2017 at 10:50:51PM -0400, Bruce Momjian wrote: >>> On Mon, May 1, 2017 at 08:12:51AM -0400, Robert Haas wrote: >>>> On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <bruce@momjian.us> >>>> wrote: >>>>> Well, we could add "MD5 users are encouraged to switch to >>>>> SCRAM-SHA-256". Now whether we want to list this as something on the >>>>> SCRAM-SHA-256 description, or mention it as an incompatibility, or >>>>> under Migration. I am not clear that MD5 is in such terrible >>>>> shape that >>>>> this is warranted. >>>> >>>> I think it's warranted. The continuing use of MD5 has been a headache >>>> for some EnterpriseDB customers who have compliance requirements which >>>> they must meet. It's not that they themselves necessarily know or >>>> care whether MD5 is secure, although in some cases they do; it's that >>>> if they use it, they will be breaking laws or regulations to which >>>> their business or agency is subject. I imagine customers of other >>>> PostgreSQL companies have similar issues. But leaving that aside, the >>>> advantage of SCRAM isn't merely that it uses a better algorithm to >>>> hash the password. It has other advantages also, like not being >>>> vulnerable to replay attacks. If you're doing password >>>> authentication, you should really be using SCRAM, and encouraging >>>> people to move to SCRAM after upgrading is a good idea. >>>> >>>> That having been said, SCRAM is a wire protocol break. You will not >>>> be able to upgrade to SCRAM unless and until the drivers you use to >>>> connect to the database add support for it. The only such driver >>>> that's part of libpq; other drivers that have reimplemented the >>>> PostgreSQL wire protocol will have to be updated with SCRAM support >>>> before it will be possible to use SCRAM with those drivers. I think >>>> this should be mentioned in the release notes, too. I also think it >>>> would be great if somebody would put together a wiki page listing all >>>> the popular drivers and (1) whether they use libpq or reimplement the >>>> wire protocol, and (2) if the latter, the status of any efforts to >>>> implement SCRAM, and (3) if those efforts have been completed, the >>>> version from which they support SCRAM. Then, I think we should reach >>>> out to all of the maintainers of those driver authors who aren't >>>> moving to support SCRAM and encourage them to do so. >>> >>> I have added this as an open item because we will have to wait to see >>> where we are with driver support as the release gets closer. >> >> With the release near, I'm promoting this to the regular open issues >> section. > > Thanks. > > I updated the list of drivers on the wiki > (https://wiki.postgresql.org/wiki/List_of_drivers), adding a column > for whether the driver supports SCRAM authentication. Currently, the > only non-libpq driver that has implemented SCRAM is the JDBC driver. I > submitted a patch for the Go driver, but it hasn't been committed yet. On the JDBC driver, strictly speaking, code has not been released yet. It is scheduled for v 42.2.0, and maybe the wiki should also mention from what version of the driver it is supported (I guess for all cases, unless their versioning would be synced with PostgreSQL's). Álvaro -- Alvaro Hernandez ----------- OnGres -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
В списке pgsql-hackers по дате отправления:
Следующее
От: Alexey ChernyshovДата:
Сообщение: Re: [HACKERS] [PATCH] Add citext_pattern_ops to citext contribmodule