On Wed, Apr 26, 2017 at 09:02:51AM +0900, Michael Paquier wrote: > On Wed, Apr 26, 2017 at 12:20 AM, Bruce Momjian <br...@momjian.us> wrote: > > On Tue, Apr 25, 2017 at 02:39:40PM +0900, Michael Paquier wrote: > >> <para> > >> Add <link linkend="auth-pg-hba-conf"><literal>SCRAM-SHA-256</></> > >> support for password negotiation and storage (Michael > >> Paquier, Heikki Linnakangas) > >> </para> > >> <para> > >> This proves better security than the existing 'md5' negotiation and > >> storage method. > >> </para> > >> This is quite vague... > > > > Can you give me better text? I can't think of any. > > Sure, here is an idea: > Add support for SASL authentication using protocol mechanism > SCRAM-SHA-256 per RFC 5802 and 7677. (adding a reference to the RFCs > with a link seems important to me). > > SCRAM-SHA-256 improves deficiencies of MD5 password hashing by > preventing any kind of pass-the-hash vulnerabilities, where a user > would be able to connect to a PostgreSQL instance by just knowing the > hash of a password and not the password itself.
First, I don't think RFC references belong in the release notes, let alone RFC links. Second, there seems to be some confusion over what SCRAM-SHA-256 gives us over MD5. I think there are a few benefits: o packets cannot be replayed as easily, i.e. md5 replayed random salt packets with a 50% probability after 16k sessions o hard to re-use SCRAM-SHA-256 string if disclosed vs. simple for md5 o harder to brute-force trying all possible strings to find a matching hash So if you tell users that SCRAM-SHA-256 is better than MD5 only because of one of those, they will not realize that three benefits of changing to SCRAM-SHA-256. I might have even missed some benefits. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers