On Sun, May 13, 2018 at 03:43:08PM +0900, Michael Paquier wrote:
> On Fri, May 11, 2018 at 11:08:52AM -0400, Bruce Momjian wrote:
> > I have committed the first draft of the Postgres 11 release notes. I
> > will add more markup soon. You can view the most current version
> > here:
>
> Thanks for gathering all the commits in one piece, Bruce.
>
> > I expect a torrent of feedback. ;-)
>
> I looked at the entries where my name shows up. Here is some feedback
> with HEAD at 8c6227a2 (latest as of writing this message).
>
> <para>
> Add information_schema columns related to table constraints and
> triggers (Michael Paquier)
> </para>
> The author of this entry is Peter Eisentraut, not me.
Thanks, I got "Reviewed-by" and "Author" mixed up.
> <para>
> Channel binding requires the server end
> of the <acronym>TLS</acronym> connection to
> prove that it knows the password. The options are <link
>
> linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
> and <option>scram_channel_binding=tls-server-end-point</option>.
> </para>
> This is not actually correct. Channel binding is an MITM prevention
> mechanism which makes sure that after the SSL handshake the backend and
> the frontend are still connected to the same things. "tls-unique" makes
> sure that a connection is uniquely used using a hash of the TLS finish
> message, and end-point makes sure that the endpoints are the same using
> a hash of the server certificate.
So, channel binding has had me confused since I first heard about it. I
have done some research and reworded the commit with the attached first patch.
Also, I have created a second patch which actually explains the two
SCRAM channel binding options and how the work.
One question I do have is how do we prevent a fake server in the middle
from pretending it is a PG 10 server and therefore avoiding channel
binding protections? I don't see any channel binding options in
pg_hba.conf, and while libpq has options, they are explained with "This
parameter is mainly intended for protocol testing."
> <para>
> WHAT DOES THIS DOC TEXT MEAN? "An empty value specifies that
> the client will not use channel binding. The default value
> is tls-unique."
> </para>
> This means that the client can choose to not use channel binding (which
> sends a 'n' flag if you refer to the communication protocol of SCRAM),
> even if the server has advertised to the client channel binding. So
> this provides a way to disable the feature at will, an on/off switch if
> you want. If a v10 libpq tries to connect to a v11 server, then it
> won't use channel binding automatically. That may be worth adding to
> the documentation as well.
I have updated the docs in the second patch to explain this.
> <para>
> Allow access to file system functions to be controlled by
> <command>GRANT</command>/<command>REVOKE</command> permissions,
> rather than super-user checks (Michael Paquier)
> </para>
> Author is Stephen Frost here.
Done.
> <para>
> Use <command>GRANT</command>/<command>REVOKE</command>
> to control access to <link
> linkend="lo-import"><function>lo_import()</function></link>
> and <function>lo_export()</function> (Michael Paquier)
> </para>
> Tom Lane is a co-author here I think.
Done.
> <para>
> Add libpq parameter to allow physical and logical replication
> connections (Michael Paquier)
> </para>
> This commit has just added documentation which was missing and
> incomplete. I would suggest to remove it from the release notes as no
> new feature has been added.
Removed.
> <para>
> Add <link
> linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
> option <option>--no-sync</option> to prevent synchronous
> <acronym>WAL</acronym> writes (Michael Paquier)
> </para>
> Perhaps this should be rewritten? --no-sync just disables any fsync
> calls for WAL segments, which is useful for tests, not recommended for
> production environments.
Done.
> <para>
> Prevent <application>pg_rewind</application> from running as
> <literal>root</literal> (Magnus Hagander)
> </para>
> This one's authorship is actually mine, after a bug I found :)
Done, thanks much.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
new file mode 100644
index 6bde17e..763a154
*** a/doc/src/sgml/release-11.sgml
--- b/doc/src/sgml/release-11.sgml
*************** same commits as above
*** 1057,1063 ****
<para>
Add information_schema columns related to table constraints and
! triggers (Michael Paquier)
</para>
<para>
--- 1057,1063 ----
<para>
Add information_schema columns related to table constraints and
! triggers (Peter Eisentraut)
</para>
<para>
*************** same commits as above
*** 1091,1111 ****
<para>
Add libpq option to support channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
! authentication (Michael Paquier)
</para>
<para>
! Channel binding requires the server end
! of the <acronym>TLS</acronym> connection to
! prove that it knows the password. The options are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
-
- <para>
- WHAT DOES THIS DOC TEXT MEAN? "An empty value specifies that
- the client will not use channel binding. The default value
- is tls-unique."
</para>
</listitem>
--- 1091,1107 ----
<para>
Add libpq option to support channel binding when using <link
linkend="auth-password"><acronym>SCRAM</acronym></link>
! authentication (Peter Eisentraut)
</para>
<para>
! While <acronym>SCRAM</acronym> always prevents the
! replay of transmitted hashed passwords in a later
! session, <acronym>SCRAM</acronym> with channel binding
! also prevents man-in-the-middle attacks. The options are <link
linkend="libpq-scram-channel-binding"><option>scram_channel_binding=tls-unique</option></link>
and <option>scram_channel_binding=tls-server-end-point</option>.
</para>
</para>
</listitem>
*************** same commits as above
*** 1196,1202 ****
<para>
Allow access to file system functions to be controlled by
<command>GRANT</command>/<command>REVOKE</command> permissions,
! rather than super-user checks (Michael Paquier)
</para>
<para>
--- 1192,1198 ----
<para>
Allow access to file system functions to be controlled by
<command>GRANT</command>/<command>REVOKE</command> permissions,
! rather than super-user checks (Stephen Frost)
</para>
<para>
*************** same commits as above
*** 1218,1224 ****
Use <command>GRANT</command>/<command>REVOKE</command>
to control access to <link
linkend="lo-import"><function>lo_import()</function></link>
! and <function>lo_export()</function> (Michael Paquier)
</para>
<para>
--- 1214,1220 ----
Use <command>GRANT</command>/<command>REVOKE</command>
to control access to <link
linkend="lo-import"><function>lo_import()</function></link>
! and <function>lo_export()</function> (Michael Paquier, Tom Lane)
</para>
<para>
*************** same commits as above
*** 1881,1902 ****
<listitem>
<!--
- 2018-03-06 [0c2c81b40] doc: Add replication parameter to libpq documentation
- -->
-
- <para>
- Add libpq parameter to allow physical and logical replication
- connections (Michael Paquier)
- </para>
-
- <para>
- The libpq connection parameter is called <link
- linkend="libpq-connect-replication"><option>replication</option></link>.
- </para>
- </listitem>
-
- <listitem>
- <!--
2018-03-17 [e3bdb2d92] Set libpq sslcompression to off by default
-->
--- 1877,1882 ----
*************** same commits as above
*** 2330,2336 ****
Add <link
linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
option <option>--no-sync</option> to prevent synchronous
! <acronym>WAL</acronym> writes (Michael Paquier)
</para>
</listitem>
--- 2310,2316 ----
Add <link
linkend="app-pgreceivewal"><application>pg_receivewal</application></link>
option <option>--no-sync</option> to prevent synchronous
! <acronym>WAL</acronym> writes, for testing (Michael Paquier)
</para>
</listitem>
*************** same commits as above
*** 2382,2388 ****
<para>
Prevent <application>pg_rewind</application> from running as
! <literal>root</literal> (Magnus Hagander)
</para>
</listitem>
--- 2362,2368 ----
<para>
Prevent <application>pg_rewind</application> from running as
! <literal>root</literal> (Michael Paquier)
</para>
</listitem>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
new file mode 100644
index 800e68a..498b8df
*** a/doc/src/sgml/libpq.sgml
--- b/doc/src/sgml/libpq.sgml
*************** postgresql://%2Fvar%2Flib%2Fpostgresql/d
*** 1242,1255 ****
<term><literal>scram_channel_binding</literal></term>
<listitem>
<para>
! Specifies the channel binding type to use with SCRAM authentication.
! The list of channel binding types supported by server are listed in
! <xref linkend="sasl-authentication"/>. An empty value specifies that
! the client will not use channel binding. The default value is
! <literal>tls-unique</literal>.
</para>
<para>
Channel binding is only supported on SSL connections. If the
connection is not using SSL, then this setting is ignored.
</para>
--- 1242,1259 ----
<term><literal>scram_channel_binding</literal></term>
<listitem>
<para>
! Specifies the channel binding type to use with SCRAM
! authentication. While <acronym>SCRAM</acronym> alone prevents
! the replay of transmitted hashed passwords, channel binding also
! prevents man-in-the-middle attacks.
</para>
<para>
+ The list of channel binding types supported by the server are
+ listed in <xref linkend="sasl-authentication"/>. An empty value
+ specifies that the client will not use channel binding. If this
+ parameter is not specified, <literal>tls-unique</literal> is used,
+ if supported by both server and client.
Channel binding is only supported on SSL connections. If the
connection is not using SSL, then this setting is ignored.
</para>
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
new file mode 100644
index 004b360..cfc805f
*** a/doc/src/sgml/protocol.sgml
--- b/doc/src/sgml/protocol.sgml
*************** should use <literal>tls-unique</literal>
*** 1584,1589 ****
--- 1584,1616 ----
that cannot support <literal>tls-unique</literal> for some reason.
</para>
+ <para>
+ In <acronym>SCRAM</acronym> without channel binding, the server chooses
+ a random number that is transmitted to the client to be mixed with the
+ user-supplied password in the transmitted password hash. While this
+ prevents the password hash from being successfully retransmitted in
+ a later session, it does not prevent a fake server between the real
+ server and client from passing through the server's random value
+ and successfully authenticating.
+ </para>
+
+ <para>
+ <acronym>SCRAM</acronym> with channel binding prevents such
+ man-in-the-middle attacks by mixing a value into the transmitted
+ password hash that cannot be retransmitted by a fake server.
+ In <acronym>SCRAM</acronym> with <literal>tls-unique</literal>
+ channel binding, the shared secret negotiated during the SSL session
+ is mixed into the user-supplied password hash. The shared secret
+ is partly chosen by the server, but not directly transmitted, making
+ it impossible for a fake server to create an SSL connection with the
+ client that has the same shared secret it has with the real server.
+ <acronym>SCRAM</acronym> with <literal>tls-server-end-point</literal>
+ mixes a hash of the server's certificate into the user-supplied password
+ hash. While a fake server can retransmit the real server's certificate,
+ it doesn't have access to the private key matching that certificate, and
+ therefore cannot prove it is the owner, causing SSL connection failure.
+ </para>
+
<procedure>
<title>Example</title>
<step id="scram-begin">
