Re: [HACKERS] SCRAM in the PG 10 release notes - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: [HACKERS] SCRAM in the PG 10 release notes
Date
Msg-id 20170511025051.GC17200@momjian.us
Whole thread Raw
In response to Re: [HACKERS] SCRAM in the PG 10 release notes  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: [HACKERS] SCRAM in the PG 10 release notes
Re: [HACKERS] SCRAM in the PG 10 release notes
List pgsql-hackers
On Mon, May  1, 2017 at 08:12:51AM -0400, Robert Haas wrote:
> On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <bruce@momjian.us> wrote:
> > Well, we could add "MD5 users are encouraged to switch to
> > SCRAM-SHA-256".  Now whether we want to list this as something on the
> > SCRAM-SHA-256 description, or mention it as an incompatibility, or
> > under Migration.  I am not clear that MD5 is in such terrible shape that
> > this is warranted.
> 
> I think it's warranted.  The continuing use of MD5 has been a headache
> for some EnterpriseDB customers who have compliance requirements which
> they must meet.  It's not that they themselves necessarily know or
> care whether MD5 is secure, although in some cases they do; it's that
> if they use it, they will be breaking laws or regulations to which
> their business or agency is subject.  I imagine customers of other
> PostgreSQL companies have similar issues.  But leaving that aside, the
> advantage of SCRAM isn't merely that it uses a better algorithm to
> hash the password.  It has other advantages also, like not being
> vulnerable to replay attacks.  If you're doing password
> authentication, you should really be using SCRAM, and encouraging
> people to move to SCRAM after upgrading is a good idea.
> 
> That having been said, SCRAM is a wire protocol break.  You will not
> be able to upgrade to SCRAM unless and until the drivers you use to
> connect to the database add support for it.  The only such driver
> that's part of libpq; other drivers that have reimplemented the
> PostgreSQL wire protocol will have to be updated with SCRAM support
> before it will be possible to use SCRAM with those drivers.  I think
> this should be mentioned in the release notes, too.  I also think it
> would be great if somebody would put together a wiki page listing all
> the popular drivers and (1) whether they use libpq or reimplement the
> wire protocol, and (2) if the latter, the status of any efforts to
> implement SCRAM, and (3) if those efforts have been completed, the
> version from which they support SCRAM.  Then, I think we should reach
> out to all of the maintainers of those driver authors who aren't
> moving to support SCRAM and encourage them to do so.

I have added this as an open item because we will have to wait to see
where we are with driver support as the release gets closer.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +



pgsql-hackers by date:

Previous
From: Amit Langote
Date:
Subject: Re: [HACKERS] multi-column range partition constraint
Next
From: Tom Lane
Date:
Subject: Re: [HACKERS] [Proposal] Allow users to specify multiple tables in VACUUM commands