Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qoTem-001PFh-E7 for pgsql-hackers@arkaria.postgresql.org; Thu, 05 Oct 2023 19:05:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qoTei-00GpNB-Jv for pgsql-hackers@arkaria.postgresql.org; Thu, 05 Oct 2023 19:05:05 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qoTei-00GpMz-9q for pgsql-hackers@lists.postgresql.org; Thu, 05 Oct 2023 19:05:05 +0000 Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qoTeb-000Dbl-Ns for pgsql-hackers@lists.postgresql.org; Thu, 05 Oct 2023 19:05:04 +0000 Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-77574c076e4so85132385a.1 for ; Thu, 05 Oct 2023 12:04:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696532696; x=1697137496; darn=lists.postgresql.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=7uMIcSSjDmWwYZmiVbNjvgVXHsRyv3ZtZeaH0BVcOgo=; b=RTFsFvJR++DFmsz+N/kAv6PGD4VMaHS/UmxAOh28RbCh0LTkBEuazdLsvrtlZo2WwF CeOJoVhlXMyqCJx5oI0+6uoPMfy4tucb+YCVh5KCLeSH4TXA7ZiOVTSJ2rpgwHSRSQd9 wTe7AfFFsa25eRs5UWfjuuBPbIXtFzrECRx+lOhnROWAOOP6cFD3ft+WEmUZzswfDuof lG9VNj7zQHeUlQqSpD6bDCm4s/uMTfRJHTIjPflE+6uS5kLxkEqAqRupQMDjWpN3Ujys t5UHC9VUaVgG9lsrFUql28K0vDINTnAwQLXJlbabc7E1MK8GcrD8RPfaiazmVJIUPa78 mQ6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696532696; x=1697137496; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7uMIcSSjDmWwYZmiVbNjvgVXHsRyv3ZtZeaH0BVcOgo=; b=LXsl/JvIwW8MM3dZMY2jbIneYtXIRz5B8CNZJDQbyLQRswnz6uGIP13MfmAV0sRwO1 ii2o7lBUFyTSgB4OHiDWly3jxrGEduxCQwT9IUB0D6UXjhnwaX18j4M+ns1ySSNKZfBB ECiG08rh1fcHA5M6D1g+Ed+Q+KsMet0ctSG38TvOe8m8OUokTiI7Q5e6TxAv+kX80Y4B rAfT6mPJStveEN7FsUSVRGwj1/eCOC0U5SZDZ1K9I7a8BBMg99SGpeneVINytvRuIst4 gzCG1MqbGpbOxGS+VgCgBH4qn8BbZeIKHB65ESKq6/ys/H5iZpofKoeJo3/Db5pNmHx0 pEBw== X-Gm-Message-State: AOJu0YxrzQHUyakbMGsJEtDvcCKR3i2Sf7Vq0Hpo4S2mXjw9HkonHCQl fRgb4gczmzssUbEMfYw9MSg= X-Google-Smtp-Source: AGHT+IE9QbNse/2alv5lpq4VTo6Pe+OICP33YxecO7H9zXfRmW5AJsR/y15Kf7Rv63nHazImZIn3sQ== X-Received: by 2002:a05:620a:f0b:b0:76c:b53b:8702 with SMTP id v11-20020a05620a0f0b00b0076cb53b8702mr7404913qkl.26.1696532695844; Thu, 05 Oct 2023 12:04:55 -0700 (PDT) Received: from nathanxps13 (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172]) by smtp.gmail.com with ESMTPSA id du33-20020a05620a47e100b0076db1caab16sm695640qkb.22.2023.10.05.12.04.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 12:04:55 -0700 (PDT) Date: Thu, 5 Oct 2023 14:04:53 -0500 From: Nathan Bossart To: Gurjeet Singh Cc: PostgreSQL Hackers , Stephen Frost , "Brindle, Joshua" , Jacob Champion , Jeff Davis Subject: Re: [PoC/RFC] Multiple passwords, interval expirations Message-ID: <20231005190453.GB151257@nathanxps13> References: <20220701002034.GA9030@tamriel.snowman.net> <80684017-18c6-4116-9249-bb049ffe1ecf@amazon.com> <41a690ee7b030e6f41709bd39375641ef934e05f.camel@j-davis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Oct 04, 2023 at 10:41:15PM -0700, Gurjeet Singh wrote: > The patches posted in this thread so far attempt to add the ability to > allow the user to have an arbitrary number of passwords. I believe > that allowing arbitrary number of passwords is not only unnecessary, > but the need to name passwords, the need to store them in a shared > catalog, etc. may actually create problems in the field. The > users/admins will have to choose names for passwords, which they > didn't have to previously. The need to name them may also lead to > users storing password-hints in the password names (e.g. 'mom''s > birthday', 'ex''s phone number', 'third password'), rendering the > passwords weak. > > Moreover, allowing an arbitrarily many number of passwords will > require us to provide additional infrastructure to solve problems like > observability (which passwords are currently in use, and which ones > have been effectively forgotten by applications), or create a nuisance > for admins that can create more problems than it solves. IMHO neither of these problems seems insurmountable. Besides advising against using hints as names, we could also automatically generate safe names, or even disallow user-provided names entirely. And adding observability for passwords seems worthwhile anyway. > So I propose that the feature should allow no more than 2 passwords > for a role, each with their own validity periods. This eliminates the > need to name passwords, because at any given time there are no more > than 2 passwords; current one, and old one. This also eliminates the > need for a shared catalog to hold passwords, because with the limit of > 2 imposed, we can store the old password and its validity period in > additional columns in the pg_authid table. Another approach could be to allow an abritrary number of passwords but to also allow administrators to limit how many passwords can be associated to each role. That way, we needn't restrict this feature to 2 passwords for everyone. Perhaps 2 should be the default, but in any case, IMO we shouldn't design to only support 2. > In essence, we create a stack that can hold 2 passwords. Pushing an > element when it's full will make it forget the bottom element. Popping > the stack makes it forget the top element, and the only remaining > element, if any, becomes the top. I think this would be mighty confusing to users since it's not clear that adding a password will potentially invalidate a current password (which might be actively in use), but only if there are already 2 in the stack. I worry that such a desіgn might be too closely tailored to the implementation details. If we proceed with this design, perhaps we should consider ERROR-ing if a user tries to add a third password. > -- If, for some reason, the user wants to get rid of the latest password added. > -- Remove 'p2' (current password). The old password (p1), will be restored to > -- rolpassword, along with its valid-until value. > ALTER ROLE u1 PASSWORD NULL; > -- This may come as a surprise to some users, because currently they expect the > -- user to completely lose the ability to use passwords for login after this > -- command. To get the old behavior, the user must now use the ALL PASSWORD > -- NULL incantation; see below. > -- Issuing this command one more time will remove even the restored password, > -- hence leaving the user with no passwords. Is it possible to remove the oldest password added without removing the latest password added? -- Nathan Bossart Amazon Web Services: https://aws.amazon.com