Home > mailing lists

Re: Password identifiers, protocol aging and SCRAM protocol - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: Password identifiers, protocol aging and SCRAM protocol
Date	September 27, 2016 05:28:32
Msg-id	CAB7nPqTpmnT0LKcoO3d5A-SQtvjutgYJO5kpP0j3h_8PTEFMfw@mail.gmail.com Whole thread Raw
In response to	Re: Password identifiers, protocol aging and SCRAM protocol (David Steele <david@pgmasters.net>)
List	pgsql-hackers

Tree view

On Mon, Sep 26, 2016 at 9:22 PM, David Steele <david@pgmasters.net> wrote:
> On 9/26/16 4:54 AM, Heikki Linnakangas wrote:
>> Hmm. The server could send a SCRAM challenge first, and if the client
>> gives an incorrect response, or the username doesn't exist, or the
>> user's password is actually MD5-encrypted, the server could then send an
>> MD5 challenge. It would add one round-trip to the authentication of MD5
>> passwords, but that seems acceptable.

I don't think that this applies just to md5 or scram. Could we for
example use a connection parameter, like expected_auth_methods to do
that? We include that in the startup packet if the caller has defined
it, then the backend checks for matching entries in pg_hba.conf using
the username, database and the expected auth method if specified.
-- 
Michael

pgsql-hackers by date:

From: Peter Eisentraut
Date: 27 September 2016, 05:17:07
Subject: Re: pg_basebackup, pg_receivexlog and data durability (was: silent data loss with ext4 / all current versions)

From: Michael Paquier
Date: 27 September 2016, 05:34:12
Subject: Re: pg_basebackup, pg_receivexlog and data durability (was: silent data loss with ext4 / all current versions)

Re: Password identifiers, protocol aging and SCRAM protocol - Mailing list pgsql-hackers

Previous

Next