Home > mailing lists

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

From	Michael Paquier
Subject	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Date	April 22, 2019 04:50:51
Msg-id	20190422015051.GA3433@paquier.xyz Whole thread Raw
In response to	Re: Possible to store invalid SCRAM-SHA-256 Passwords ("Jonathan S. Katz" <jkatz@postgresql.org>)
Responses	Re: Possible to store invalid SCRAM-SHA-256 Passwords ("Jonathan S. Katz" <jkatz@postgresql.org>) Re: Possible to store invalid SCRAM-SHA-256 Passwords (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

On Sat, Apr 20, 2019 at 04:12:56PM -0400, Jonathan S. Katz wrote:
> I modified the "get_password_type" function to perform a SCRAM
> verification to see if it is a properly hashed SCRAM password. If it is,
> we treat the password as a SCRAM hashed one. Otherwise, we proceed to
> the next step, which is to treat it as a plainly stored one.

Since v10, we don't allow the storage of plain verifiers so if a
string does not match what we think is a correct SCRAM or MD5
verifier, then it should be processed according to
password_encryption when storing the verifier or processed according
to the auth protocol with the HBA entry matching.  Your patch looks
fine to me, I would have just added a test case in password.sql (no
need to send a new patch I can take care of it).

Any objections to back-patch that stuff to v10?
--
Michael

Attachment

signature.asc

pgsql-bugs by date:

From: Tom Lane
Date: 21 April 2019, 22:46:18
Subject: Re: Segfault behaviour

From: "Jonathan S. Katz"
Date: 22 April 2019, 16:04:43
Subject: Re: Possible to store invalid SCRAM-SHA-256 Passwords

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

Attachment

Previous

Next