On 08/12/2015 01:37 PM, Stephen Frost wrote:
> Would be great to get comments on the other comments, specifically that
> adding SCRAM's password verifier won't seriously change the security of
> a user's account or password based on an attack vector where the
> contents of pg_authid is compromised. I do agree with the general
> concern that the additional complexity involved in supporting multiple
> password verifiers may result in bugs, and likely security ones, but I
> really expect the larger risk to be from the SCRAM implementation itself
> than how we get data into and back out of our own catalogs.
There's also the concern that the additional complexity will cause
*users* to make security-compromising mistakes, which I think is the
greater risk. Robert has mostly won me over to his point of view on this.
The only case where I can see multiple verifiers per role making a real
difference in migrations is for PGAAS hosting. But the folks from
Heroku and AWS have been notably silent on this; lemme ping them.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com