public inbox for [email protected]  
help / color / mirror / Atom feed
From: Jeff Davis <[email protected]>
To: Gurjeet Singh <[email protected]>
To: Stephen Frost <[email protected]>
Cc: Brindle, Joshua <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Nathan Bossart <[email protected]>
Subject: Re: [PoC/RFC] Multiple passwords, interval expirations
Date: Tue, 26 Sep 2023 16:36:31 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CABwTF4XZO_429=QzZHt-1Q=KSCR2XjYG+xVy2p-PdPtun9tVdg@mail.gmail.com>
References: <CAGB+Vh5SQQorNDEKP+0G=smxHRhbhs+VkmQWD5Vh98fmn8X4dg@mail.gmail.com>
	<CAGB+Vh7aLDrZ4RJbfqJ2u0sz-qvV4V5gtyaGr0Bqkp-Q9ojktg@mail.gmail.com>
	<CAGB+Vh65WkmR1V5qVUerxmsJE9uBFqwd0oWTTNU=dca_ep2N5Q@mail.gmail.com>
	<CAGB+Vh5Ed65gCmjJxCYguVoBoiDLePYDAeHMkb6-7PR-DFU-yQ@mail.gmail.com>
	<[email protected]>
	<CAOuzzgpyFRFbskZW0uYwP4_r5NkFJywTurn0SQ+pkbcuuQchjw@mail.gmail.com>
	<CABwTF4Uih+xKc8o7W-Qmzo2Oc3BbvnY+JHzcZ-HG2vDzBQpf8w@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAOuzzgq2j43X6vwF8LCPcPuKZ2gw0ZbF=CrsB6CmtEt1h2ci0g@mail.gmail.com>
	<CABwTF4XZO_429=QzZHt-1Q=KSCR2XjYG+xVy2p-PdPtun9tVdg@mail.gmail.com>

On Mon, 2023-09-25 at 00:31 -0700, Gurjeet Singh wrote:

> Please see attached v4 of the patch. The patch takes care of rebase
> to
> the master/17-devel branch, and includes some changes, too.

FWIW I got some failures applying. I didn't investigate much, and
instead I looked at your git branch (7a35619e).

> Moreover, before the patch, in case of CheckPasswordAuth(), the error
> (if any) would have been thrown _after_ network communication done by
> sendAuthRequest() call. But with this patch, the error is thrown
> before the network interaction, hence this changes the order of
> network interaction and the error message. This may have security
> implications, too, but I'm unable to articulate one right now.

You mean before v3 or before v4? Is this currently a problem in v4?

> Open question: If a client is capable of providing just md5 passwords
> handshake, and because of pg_hba.conf setting, or because the role
> has
> at least one SCRAM password (essentially the 3rd case you mention
> above: pg_hba md5 + md5 and scram pws -> scram), the server will
> respond with a SASL/SCRAM authentication response, and that would
> break the backwards compatibility and will deny access to the client.
> Does this make it necessary to use a newer libpq/client library?

Perhaps you can try the MD5 passwords first, and only if they fail,
move on to try scram passwords?

> Comments?

IIUC, for the case of multiple scram passwords, we use the salt to
select the right scram password, and then proceed from there?

I'm not very excited about the idea of naming passwords, or having
passwords with default names. I can't think of anything better right
now, so it might be OK.

> - Add tests
> - Add/update documentation

These are needed to provide better review.


Regards,
	Jeff Davis







view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PoC/RFC] Multiple passwords, interval expirations
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox