Re: [HACKERS] SCRAM authentication, take three - Mailing list pgsql-hackers

On 04/07/2017 08:21 AM, Noah Misch wrote:
> On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote:
>> On 04/06/2017 08:36 AM, Noah Misch wrote:
>>> On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote:
>>>> I didn't include the last-minute changes to the way you specify this in
>>>> pg_hba.conf. So it's still just "scram". I agree in general that we should
>>>> think about how to extend that too, but I think the proposed syntax was
>>>> overly verbose for what we actually support right now. Let's discuss that as
>>>> a separate thread, as well.
>>>
>>> [Action required within three days.  This is a generic notification.]
>>>
>>> The above-described topic is currently a PostgreSQL 10 open item.
>>
>> I don't think we will come up with anything better than what we have now, so
>> I have removed this from the open items list.
>
> Michael shared[1] better pg_hba.conf syntax on 2016-11-05.  I agreed[2] with
> his framing of the problem and provided two syntax alternatives, on
> 2017-01-18.  Michael implemented[3] a variation of one of those on 2017-02-20,
> which you declined in your 2017-03-07 commit with just the explanation quoted
> above.  I say Michael came up with something better five months ago.

OK. My feeling is that we should have a relatively short and 
easy-to-pronounce name for it. People editing pg_hba.conf with a text 
editor will need to type in the keyword, and "scram" is a lot easier to 
remember than "scram-sha-256". The word will also be used in 
conversations, "hey, Noah, can you add example.com to the hba file, with 
scram, please?" If md5 had a more difficult name, I think we would've 
come up with a shorthand for it back in the day, too.

I might be wrong, of course. I don't set up PostgreSQL installations for 
a living, so I might be out of touch of what's important.

> Reserving, as HEAD does today, keyword "scram" to mean "type of SCRAM we
> introduced first" will look ugly in 2027.  Cryptographic hash functions have a
> short shelf life compared to PostgreSQL.

I don't think that's such a big deal. Firstly, I don't think it would be 
too bad for "scram" to mean "the type of SCRAM we introduced first". 
Secondly, we can add an alias later, if we add support for a new 
mechanism in the SCRAM family.

Our MD5 authentication method was introduced in 2001, I expect 
SCRAM-SHA-256 to also last about 15 years before we consider replacing 
it. Note that the big problem with our MD5 authentication is not 
actually the hash algorithm. There are still no practical pre-image 
attacks on MD5, even though it's thoroughly broken for collisions. If we 
had "SCRAM-MD5", it would still be OK. So I'd hazard a guess that 
whatever will eventually replace SCRAM-SHA-256, will not be SCRAM with a 
different hash algorithm, but something else entirely.

The channel binding aspect is actually more important to think about 
right now, as that we will hopefully implement in the next release or two.

In [1], Michael wrote:
> There is also the channel binding to think about... So we could have a
> list of keywords perhaps associated with SASL? Imagine for example:
> sasl    $algo,$channel_binding
> Giving potentially:
> sasl    scram_sha256
> sasl    scram_sha256,channel
> sasl    scram_sha512
> sasl    scram_sha512,channel
> In the case of the patch of this thread just the first entry would
> make sense, once channel binding support is added a second
> keyword/option could be added. And there are of course other methods
> that could replace SCRAM..

It should also be possible to somehow specify "use channel binding, if 
the client supports it".

I don't think "sasl" is interesting to a user, it's the actual 
mechanisms (e.g "scram-sha256") that matter. So I'd suggest that we 
allow a list of algorithms in the method field. If we go with the longer 
"scram-sha-256" name, it would look like this:

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             example.com 
scram-sha-256-plus, scram-sha-256

The problem again is that those names are quite long. Is that OK?

In [2], you wrote:
> The latest versions document this precisely, but I agree with Peter's concern
> about plain "scram".  Suppose it's 2025 and PostgreSQL support SASL mechanisms
> OAUTHBEARER, SCRAM-SHA-256, SCRAM-SHA-256-PLUS, and SCRAM-SHA3-512.  What
> should the pg_hba.conf options look like at that time?  I don't think having a
> single "scram" option fits in such a world.  I see two strategies that fit:
>
> 1. Single "sasl" option, with a GUC, similar to ssl_ciphers, controlling the
>    mechanisms to offer.
> 2. Separate options "scram_sha_256", "scram_sha3_512", "oauthbearer", etc.

The example I gave above is like option 2. The problem with option 1 is 
that different SASL mechanisms can have very different properties. You 
might want to allow "NTLM" from a trusted network, but require "OTP" 
from the public internet, for example. So I don't think a single GUC 
would be flexible enough.

That said, a GUC with a more narrow scope might be OK. If we called the 
method in pg_hba.conf "secure_password", and had a GUC to list which 
password-based mechanisms are considered secure, that would be OK. But I 
think we'd still need a separate pg_hba.conf method name for 
OAUTHBEARER, for example.


PS. If we go with the full names, I think it should "scram-sha-256", 
rather than "scram_sha_256", because the official name uses dashes 
rather than underscores.

[1] 
https://www.postgresql.org/message-id/CAB7nPqS99Z31f7jhoYYMoBDbuZSQRpn+HQzByA=EwfMDYwCk1Q@mail.gmail.com

[2] https://www.postgresql.org/message-id/20170118052356.GA5952@gust

- Heikki