Re: Raising the SCRAM iteration count - Mailing list pgsql-hackers

From Jonathan S. Katz
Subject Re: Raising the SCRAM iteration count
Date
Msg-id a20abcf0-5e8b-0e99-4953-f5718409e957@postgresql.org
Whole thread Raw
In response to Re: Raising the SCRAM iteration count  (Michael Paquier <michael@paquier.xyz>)
List pgsql-hackers
On 12/14/22 6:52 PM, Michael Paquier wrote:
> On Wed, Dec 14, 2022 at 01:59:04PM -0500, Jonathan S. Katz wrote:
HA-256 that we will just need to pick up?
> 
>>> The attached v2 has the GUC rename and a change to GUC_REPORT such that the
>>> frontend can use the real value rather than the default.  I kept it for super
>>> users so far, do you think it should be a user setting being somewhat sensitive?
>>
>> No, because a user can set the number of iterations today if they build
>> their own SCRAM secret. I think it's OK if they change it in a session.
>>
>> If a superuser wants to enforce a minimum iteration count, they can write a
>> password_check_hook. (Or we could add another GUC to enforce that).
> 
> Hm?  check_password_hook does not allow one to recompile the password
> given by the user, except if I am missing your point?
My point is you can write a hook to reject the password if the iteration 
count is "too low". Not to re-hash the password.

Thanks,

Jonathan

Attachment

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: Raising the SCRAM iteration count
Next
From: Michael Paquier
Date:
Subject: Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX