Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPQRE-0005vz-A2 for pgsql-hackers@arkaria.postgresql.org; Wed, 02 Mar 2022 14:58:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nPQRD-0001qE-8e for pgsql-hackers@arkaria.postgresql.org; Wed, 02 Mar 2022 14:58:47 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPQRC-0001pg-V4 for pgsql-hackers@lists.postgresql.org; Wed, 02 Mar 2022 14:58:46 +0000 Received: from tamriel.snowman.net ([70.109.60.50]) by magus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nPQR8-0003La-J1 for pgsql-hackers@lists.postgresql.org; Wed, 02 Mar 2022 14:58:46 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 627C35F7A2; Wed, 2 Mar 2022 09:58:41 -0500 (EST) Date: Wed, 2 Mar 2022 09:58:41 -0500 From: Stephen Frost To: Bruce Momjian Cc: Michael Paquier , Tom Lane , Jeff Davis , samay sharma , pgsql-hackers@lists.postgresql.org Subject: Re: Proposal: Support custom authentication methods using hooks Message-ID: <20220302145841.GA10577@tamriel.snowman.net> References: <1905579.1645810764@sss.pgh.pa.us> <2718414dc095b716e59e126c03af343997d14c7b.camel@j-davis.com> <1980351.1645816239@sss.pgh.pa.us> <9004b18218eae293f1ee888e49d13d8a6b02810d.camel@j-davis.com> <20220228204634.GM10577@tamriel.snowman.net> <2738622.1646083128@sss.pgh.pa.us> <20220228214255.GO10577@tamriel.snowman.net> <20220301133119.GR10577@tamriel.snowman.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Zif13CGLAmVnkPyw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Zif13CGLAmVnkPyw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Bruce Momjian (bruce@momjian.us) wrote: > On Tue, Mar 1, 2022 at 08:31:19AM -0500, Stephen Frost wrote: > > > The last time I played with this area is the recent error handling > > > improvement with cryptohashes but MD5 has actually helped here in > > > detecting the problem as a patched OpenSSL would complain if trying to > > > use MD5 as hash function when FIPS is enabled. > >=20 > > Having to continue to deal with md5 as an algorithm when it's known to > > be notably less secure and so much so that organizations essentially ban > > its use for exactly what we're using it for, in fact, another reason to >=20 > Really? I thought it was publicly-visible MD5 hashes that were the > biggest problem. Our 32-bit salt during the connection is a problem, of > course. Neither are good. Not sure that we really need to spend a lot of effort trying to figure out which issue is the biggest problem. > > remove it, not a reason to keep it. Better code coverage testing of > > error paths is the answer to making sure that our error handling behaves > > properly. >=20 > What is the logic to removing md5 but keeping 'password'? I don't think we should keep 'password'. Thanks, Stephen --Zif13CGLAmVnkPyw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJiH4YgAAoJEO1sijiDR2RVeBcQAImIEYnI3LnveVuEGJmLqd+O gnma82QIaYLJ3IfPyAZQzveaJGi3BW1PBEEms0R5GrbMLYsB1A/m3euTcYoPggxJ kFQTp/F0XyMK17dGINEVHD2VLKsfrMutes750uM/6Z9gE2rizJEbNlx8hmLtWPVv 6AvYT/xCYhHt53/784ANZfLVphHkv/i544EeQeOUemZg4R/E9N6oa+jpOZQFvTtK +mjDB8PWzUwfbhwU1YVldWfrXWfOqaQ396hSYTKwXjxIcD0HqokHQYfxo5upw9Zx ze3XVP3ehxhnmp2WOPViAEnA827D94sJSM4zXtFLdhN17akxq1dTCg2dNSiTSkxP 69t4Uo8f4O9G4gaujfmKp/cF0Vu3xZS670F9xaajmr3mNV7GvdAzkt2laOEA9z+v FXb9cr4m26N6+/gfiAEsS7uBV9ymn/e//ki6AWO0rfZbcaorKHM7PM4AgJitQAPg C60skQ7x2CiG5zuEN1vs6rCiGsNWuUYzzePz+f30TPF5Z7yVUsYQrjmWswkBOSRr o4y/UL0E8zunwYAROppaPMKzm9nvU2d4nN9s1aqJWrL3LsuzpvH3yNu0gxatKCpj yePHNhk4np3Q77kTIiH5qPWSmSNlGtjUVsdlUjVzy7Qw7nqFpQHNBA0t3KKmtXQ8 tSMt0B5QXt/qyCKMr9uw =/NG7 -----END PGP SIGNATURE----- --Zif13CGLAmVnkPyw--