Postgres Pro
Downloads
Home   >   mailing lists

Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange - Mailing list pgsql-hackers

From Craig Ringer
Subject Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange
Date
Msg-id CAMsr+YFxAgY0tsBWxXoGw_PzC5hBYYOQPANGcYPjvFn9rhwMAw@mail.gmail.com
Whole thread Raw
In response to Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange  (Michael Paquier <michael.paquier@gmail.com>)
Responses Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange  (Michael Paquier <michael.paquier@gmail.com>)
List pgsql-hackers
Tree view


On 14 Apr. 2017 10:44, "Michael Paquier" <michael.paquier@gmail.com> wrote:
On Fri, Apr 14, 2017 at 1:37 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> On 04/13/2017 05:53 AM, Michael Paquier wrote:
>> +    * Parse the list of SASL authentication mechanisms in the
>> +    * AuthenticationSASL message, and select the best mechanism that we
>> +    * support.  (Only SCRAM-SHA-256 is supported at the moment.)
>>      */
>> -   if (strcmp(auth_mechanism, SCRAM_SHA256_NAME) == 0)
>> +   for (;;)
>> Just an idea here: being able to enforce the selection with an
>> environment variable (useful for testing as well in the future).
>
> Hmm. It wouldn't do much, as long as SCRAM-SHA-256 is the only supported
> mechanism. In general, there is no way to tell libpq to e.g. not do plain
> password authentication, which is more pressing than choosing a particular
> SASL mechanism. So I think we should have libpq options to control that, but
> it's a bigger feature than just adding a debug environment variable here.

Of course, my last sentence implied that this may be useful once more
than 1 mechanism is added. This definitely cannot be a connection
parameter. Your last sentence makes me guess that we agree on that.
But those are thoughts for later..

Are we going to have issues with with mech negotiation re the ability to store auth data for >1 mech and access it early enough?

Presumably we'll need multiple digests for a user. For example if we want to allow the choice of mechs scram-256 and scram-512 we need different stored hashes for the same user in pg_authid. And we'll possibly need to be able to tell at the time we advertise mechs which users have creds for which mechs otherwise we'll advertise mechs they can never succeed. The client has no way to make a sensible choice of mech if some arbitrary subset (maybe just 1) will work for a given user.

There's no point advertising scram-512 if only -256 can work for 'bob' because that's what we have in pg_authid.

Yes, filtering the advertised mechs exposes info. But not being able to log in if you're the legitimate user without configuring the client with your password hash format would suck too.


> Thanks for the review! I've pushed these patches, after a bunch of little
> cleanups here and there, and fixing a few garden-variety bugs in the
> GSS/SSPI changes.

Committed patches look good to me after a second lookup. Thanks!
--
Michael


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: [HACKERS] Rewriting the test of pg_upgrade as a TAP test
Next
From: Rod Taylor
Date:
Subject: Re: [HACKERS] Row Level Security UPDATE Confusion