pgsql: Allow SCRAM authentication, when pg_hba.conf says 'md5'.

Поиск
Список
Период
Сортировка
От Heikki Linnakangas
Тема pgsql: Allow SCRAM authentication, when pg_hba.conf says 'md5'.
Дата
Msg-id E1crNUX-0004uA-Md@gemulon.postgresql.org
обсуждение исходный текст
Список pgsql-committers
Дерево обсуждения 
Allow SCRAM authentication, when pg_hba.conf says 'md5'.

If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.

Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the  "user has expired password", and
"user does not exist" cases in auth.c.

On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.

Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/7ac955b34791500069179e1ea986f46d510126d9

Modified Files
--------------
doc/src/sgml/client-auth.sgml             |  37 +++---
src/backend/libpq/auth-scram.c            | 104 +++++++++--------
src/backend/libpq/auth.c                  | 179 +++++++++++++++++++-----------
src/backend/libpq/crypt.c                 |  44 +++-----
src/backend/libpq/hba.c                   |   2 +-
src/include/libpq/crypt.h                 |   3 +-
src/include/libpq/hba.h                   |   2 +-
src/include/libpq/scram.h                 |   2 +-
src/test/authentication/t/001_password.pl |   6 +-
9 files changed, 214 insertions(+), 165 deletions(-)

В списке pgsql-committers по дате отправления:

Предыдущее
От: Teodor Sigaev
Дата:
Сообщение: [COMMITTERS] pgsql: Fix backup canceling
Следующее
От: Peter Eisentraut
Дата:
Сообщение: pgsql: Handle empty result set in libpqrcv_exec