Re: [HACKERS] SCRAM in the PG 10 release notes

On 14/09/17 08:57, Heikki Linnakangas wrote:
> On 09/12/2017 04:09 AM, Noah Misch wrote:
>> On Wed, May 10, 2017 at 10:50:51PM -0400, Bruce Momjian wrote:
>>> On Mon, May  1, 2017 at 08:12:51AM -0400, Robert Haas wrote:
>>>> On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <bruce@momjian.us> 
>>>> wrote:
>>>>> Well, we could add "MD5 users are encouraged to switch to
>>>>> SCRAM-SHA-256".  Now whether we want to list this as something on the
>>>>> SCRAM-SHA-256 description, or mention it as an incompatibility, or
>>>>> under Migration.  I am not clear that MD5 is in such terrible 
>>>>> shape that
>>>>> this is warranted.
>>>>
>>>> I think it's warranted.  The continuing use of MD5 has been a headache
>>>> for some EnterpriseDB customers who have compliance requirements which
>>>> they must meet.  It's not that they themselves necessarily know or
>>>> care whether MD5 is secure, although in some cases they do; it's that
>>>> if they use it, they will be breaking laws or regulations to which
>>>> their business or agency is subject.  I imagine customers of other
>>>> PostgreSQL companies have similar issues.  But leaving that aside, the
>>>> advantage of SCRAM isn't merely that it uses a better algorithm to
>>>> hash the password.  It has other advantages also, like not being
>>>> vulnerable to replay attacks.  If you're doing password
>>>> authentication, you should really be using SCRAM, and encouraging
>>>> people to move to SCRAM after upgrading is a good idea.
>>>>
>>>> That having been said, SCRAM is a wire protocol break.  You will not
>>>> be able to upgrade to SCRAM unless and until the drivers you use to
>>>> connect to the database add support for it.  The only such driver
>>>> that's part of libpq; other drivers that have reimplemented the
>>>> PostgreSQL wire protocol will have to be updated with SCRAM support
>>>> before it will be possible to use SCRAM with those drivers. I think
>>>> this should be mentioned in the release notes, too.  I also think it
>>>> would be great if somebody would put together a wiki page listing all
>>>> the popular drivers and (1) whether they use libpq or reimplement the
>>>> wire protocol, and (2) if the latter, the status of any efforts to
>>>> implement SCRAM, and (3) if those efforts have been completed, the
>>>> version from which they support SCRAM.  Then, I think we should reach
>>>> out to all of the maintainers of those driver authors who aren't
>>>> moving to support SCRAM and encourage them to do so.
>>>
>>> I have added this as an open item because we will have to wait to see
>>> where we are with driver support as the release gets closer.
>>
>> With the release near, I'm promoting this to the regular open issues 
>> section.
>
> Thanks.
>
> I updated the list of drivers on the wiki 
> (https://wiki.postgresql.org/wiki/List_of_drivers), adding a column 
> for whether the driver supports SCRAM authentication. Currently, the 
> only non-libpq driver that has implemented SCRAM is the JDBC driver. I 
> submitted a patch for the Go driver, but it hasn't been committed yet.
    On the JDBC driver, strictly speaking, code has not been released 
yet. It is scheduled for v 42.2.0, and maybe the wiki should also 
mention from what version of the driver it is supported (I guess for all 
cases, unless their versioning would be synced with PostgreSQL's).

    Álvaro


-- 

Alvaro Hernandez


-----------
OnGres



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers