Hi, Stephen Frost wrote: > > PG supports client-side certificate based authentication which would be > far better than any kind of password-based authentication. If password > based auth is insisted upon then TLS to verify the server-side and > protect the network connection would be good and remove the need for the > challenge/response protocol and lead to 'password' being an acceptable > option there, but that doesn't mean it'd be a good default for Debian, > imv, because we *don't* require server-authenticated TLS, or TLS at all, > currently. Further, I'm not convined that 'password' there would really > be all that much better than 'md5' as, as has been discussed, if you > have access to pg_authid then you have access to the PG data directory. > Further, at that point, you've probably got access to the backend and > with password-based auth the postmaster process will see the user's > actual password. > > In the end, I think we might move to support SCRAM and simply deprecate > md5 in favor of that rather than try to fix the current mechanism > without breaking things because any such fix wouldn't be a serious > improvement and would just mislead users into thinking it's safe. > > We're currently looking at getting SCRAM support by implementing SASL, > but I'm worried that we'll then create a dependency on SASL that people > won't be happy with and therefore I'm very curious about how difficult > it'd be to implement proper SCRAM directly. Do you know if there is > BSD-licensed code (PG is entirely BSD licensed) that implements SCRAM? >
Just to put the idea out there; PGSQL currently links to OpenSSL for TLS, right? TLS has support for SRP [0] [1]. This could be used for password based authenticated TLS sessions without client certificates. Might be less of a burden on users than deploying PKIX with client-certificates while still providing proper security. Aaron [0] https://en.wikipedia.org/wiki/TLS-SRP [1] http://www.ietf.org/rfc/rfc5054.txt
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-postgresql-public mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public
