Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qlHbc-00263Q-MH for pgsql-hackers@arkaria.postgresql.org; Tue, 26 Sep 2023 23:36:40 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qlHba-00GEQT-VD for pgsql-hackers@arkaria.postgresql.org; Tue, 26 Sep 2023 23:36:38 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qlHba-00GEQF-Kq for pgsql-hackers@lists.postgresql.org; Tue, 26 Sep 2023 23:36:38 +0000 Received: from mail-pg1-x534.google.com ([2607:f8b0:4864:20::534]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qlHbX-007mIC-IF for pgsql-hackers@postgresql.org; Tue, 26 Sep 2023 23:36:37 +0000 Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-573e67cc6eeso6570497a12.2 for ; Tue, 26 Sep 2023 16:36:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20230601.gappssmtp.com; s=20230601; t=1695771393; x=1696376193; darn=postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=wB4398ZCpRhATUVMu7Gj7MkDkYd8VKjYdOdIhPWyots=; b=sbUrtOODeNMLaCLQgS9XS3BSKYbmZ9oOJo7BQ2ZMM440qX6yGdtGLFw2BDM+lIDyYW wTH7DDNyu5SoLI3AHSIl5R1z4/P3crCNpi3W3DBfM/nKALqG07BmIzymtjprwTWox2TP hIIIMYKcj0EMF1Pvpo50RUO61jt+Bhqx0Qqd2jN5xRGiK1Ir/AKONfbEnFnCKr6++qKU edy/pOgZ6lBkMXyKweMmPKNNEszM4LVh56Y74TLRteDo6c9PWOh/NhruktpHZ3/RXzr+ Y4PdlgFdVQLwdbuzBJVPYd1M86LpJP0tMp5wX3D63TMBZDT18A1FAQNFkgSpnFPj3+rt vSnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695771393; x=1696376193; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wB4398ZCpRhATUVMu7Gj7MkDkYd8VKjYdOdIhPWyots=; b=qOfhZKNlxPncf4iH+M1IPUZsdh1Z2q1Q9eFgD1XfxuD+yuT2RiRWR5ZGhj0N8i94GD FSHZ5KBgwaxbCkCzLeODqoV1ldJGMnK2vgF5BOs1+ChMf4G4dGg3QJm60g1bqz+Znquh YwLC88fHD5FhUPgbC4Vb2HCx2g+BHEOeVC5vLcknYTgs0DbedYMA1rkObbeP7huY5Coi 0vQdEWmHZbc6KUijC0y9orcF5bSh1+yTU++vioqOw8JZpthJ7ZmAO4pyM0zFWaPDbF4A fPUV+XPUoEE1VnAo4awhFaBU/q1Eb0F92X4EF1dGL625J2uxeIkmrvBMUMZY7zvJDTV+ BK+w== X-Gm-Message-State: AOJu0Yzh8Zqy5FDgxvFkNUsXAeW3xfsPa5ZlHCdc5+saiq0wiXCvCr5G W7hlq4jC2qXis72S3X+hp0bIcw== X-Google-Smtp-Source: AGHT+IE1VUsMSbU4kWZY4h1oj7AmSMIa+xc5sBcqfyEuOMhjQXD/DYIZl2ctz76J+LJ65clxPQEgTQ== X-Received: by 2002:a05:6a20:ce92:b0:158:2031:9a0a with SMTP id if18-20020a056a20ce9200b0015820319a0amr371644pzb.32.1695771393550; Tue, 26 Sep 2023 16:36:33 -0700 (PDT) Received: from jeff-laptop.lan (c-98-45-81-55.hsd1.ca.comcast.net. [98.45.81.55]) by smtp.gmail.com with ESMTPSA id p22-20020a170902a41600b001ae0152d280sm11543758plq.193.2023.09.26.16.36.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 16:36:32 -0700 (PDT) Message-ID: <41a690ee7b030e6f41709bd39375641ef934e05f.camel@j-davis.com> Subject: Re: [PoC/RFC] Multiple passwords, interval expirations From: Jeff Davis To: Gurjeet Singh , Stephen Frost Cc: "Brindle, Joshua" , Jacob Champion , PostgreSQL-development , Nathan Bossart Date: Tue, 26 Sep 2023 16:36:31 -0700 In-Reply-To: References: <20220701002034.GA9030@tamriel.snowman.net> <80684017-18c6-4116-9249-bb049ffe1ecf@amazon.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu2 MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 2023-09-25 at 00:31 -0700, Gurjeet Singh wrote: > Please see attached v4 of the patch. The patch takes care of rebase > to > the master/17-devel branch, and includes some changes, too. FWIW I got some failures applying. I didn't investigate much, and instead I looked at your git branch (7a35619e). > Moreover, before the patch, in case of CheckPasswordAuth(), the error > (if any) would have been thrown _after_ network communication done by > sendAuthRequest() call. But with this patch, the error is thrown > before the network interaction, hence this changes the order of > network interaction and the error message. This may have security > implications, too, but I'm unable to articulate one right now. You mean before v3 or before v4? Is this currently a problem in v4? > Open question: If a client is capable of providing just md5 passwords > handshake, and because of pg_hba.conf setting, or because the role > has > at least one SCRAM password (essentially the 3rd case you mention > above: pg_hba md5 + md5 and scram pws -> scram), the server will > respond with a SASL/SCRAM authentication response, and that would > break the backwards compatibility and will deny access to the client. > Does this make it necessary to use a newer libpq/client library? Perhaps you can try the MD5 passwords first, and only if they fail, move on to try scram passwords? > Comments? IIUC, for the case of multiple scram passwords, we use the salt to select the right scram password, and then proceed from there? I'm not very excited about the idea of naming passwords, or having passwords with default names. I can't think of anything better right now, so it might be OK. > - Add tests > - Add/update documentation These are needed to provide better review. Regards, Jeff Davis