* Josh Berkus (josh@agliodbs.com) wrote:
> On 08/12/2015 01:37 PM, Stephen Frost wrote:
> > Would be great to get comments on the other comments, specifically that
> > adding SCRAM's password verifier won't seriously change the security of
> > a user's account or password based on an attack vector where the
> > contents of pg_authid is compromised. I do agree with the general
> > concern that the additional complexity involved in supporting multiple
> > password verifiers may result in bugs, and likely security ones, but I
> > really expect the larger risk to be from the SCRAM implementation itself
> > than how we get data into and back out of our own catalogs.
>
> There's also the concern that the additional complexity will cause
> *users* to make security-compromising mistakes, which I think is the
> greater risk. Robert has mostly won me over to his point of view on this.
That is certainly an issue to address- but that's one which I believe we
can address a great deal better than what we're doing with the currently
proposed patch. I do feel we need to provide flexibility and options,
but we also need to consider the simple case and make sure that it
remains simple.
> The only case where I can see multiple verifiers per role making a real
> difference in migrations is for PGAAS hosting. But the folks from
> Heroku and AWS have been notably silent on this; lemme ping them.
While their insight is certainly valuable, they are certainly not the
only cases of one-user-to-rule-them-all environments. Further, there's
going to be cases where multiple applications from different languages
are accessing the database through the same account because there's only
one account.
I'd rather not punt on those cases and, further, assume that we'll
always be able to keep it to only one password verifier per account. As
I tried to outline up-thread, there are a set of features which would be
very nice for us to have which require further information to be saved
beyond even these different password verifiers for each.
As mentioned elsewhere, even SCRAM is possible of having multiple
password verifiers based on the various algorithms used. In other
words, I doubt the 'only one password verifier per role' approach is
going to work out for us long term in any case.
Thanks! Stephen
