On 05/02/2017 09:57 PM, Robert Haas wrote:
Does db_user_namespace work with SCRAM?
Yes. Haven't tested it, come to think of it, but it should work.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
On Tue, Apr 18, 2017 at 7:58 AM, Magnus Hagander wrote:
>> Yeah, that would be reasonable. It can't be called just "password",
>> though, because there's no way to implement "password-or-md5-or-scram" in a
>> sensible way (see my reply to Simon at [1]). Unless we remove the
On Tue, Apr 18, 2017 at 1:52 PM, Heikki Linnakangas wrote:
> On 04/14/2017 10:33 PM, Peter Eisentraut wrote:
>
>> On 4/11/17 01:10, Heikki Linnakangas wrote:
>>
>>> That question won't arise in practice. Firstly, if the server can do
>>> scram-sha-256-plus, it presumably can
On 04/14/2017 10:33 PM, Peter Eisentraut wrote:
On 4/11/17 01:10, Heikki Linnakangas wrote:
That question won't arise in practice. Firstly, if the server can do
scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless
there's a change in the way the channel binding works, such
On 16 April 2017 07:14:21 EEST, Noah Misch wrote:
>This PostgreSQL 10 open item is past due for your status update.
>Kindly send
>a status update within 24 hours, and include a date for your subsequent
>status
>update.
I will pick this up on Tuesday. The consensus seems
On Wed, Apr 12, 2017 at 02:33:27AM -0400, Noah Misch wrote:
> On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote:
> > On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
> > >On 4/10/17 04:27, Heikki Linnakangas wrote:
> > >>One thing to consider is that we just made the decision that
On 4/11/17 01:10, Heikki Linnakangas wrote:
> That question won't arise in practice. Firstly, if the server can do
> scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless
> there's a change in the way the channel binding works, such that the
> scram-sha-512-plus variant needs
On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote:
> On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
> >On 4/10/17 04:27, Heikki Linnakangas wrote:
> >>One thing to consider is that we just made the decision that "md5"
> >>actually means "md5 or scram-sha-256". Extrapolating from
On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote:
> On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
> Good question. We would need to decide the order of preference for those.
>
> That question won't arise in practice. Firstly, if the server can do
> scram-sha-256-plus, it
On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
On 4/10/17 04:27, Heikki Linnakangas wrote:
One thing to consider is that we just made the decision that "md5"
actually means "md5 or scram-sha-256". Extrapolating from that, I think
we'll want "scram-sha-256" to mean "scram-sha-256 or
On 4/10/17 04:27, Heikki Linnakangas wrote:
> One thing to consider is that we just made the decision that "md5"
> actually means "md5 or scram-sha-256". Extrapolating from that, I think
> we'll want "scram-sha-256" to mean "scram-sha-256 or scram-sha-256-plus"
> (i.e. the channel-bonding
On 4/9/17 19:19, Noah Misch wrote:
> These are the two chief approaches I'm seeing:
>
> 1. scram-sha-256, scram-sha-256-plus, and successors will be their own
>pg_hba.conf authentication methods. Until and unless someone implements an
>ability to name multiple methods per HBA line, you
On 04/10/2017 02:19 AM, Noah Misch wrote:
On Fri, Apr 07, 2017 at 10:28:59AM +0300, Heikki Linnakangas wrote:
On 04/07/2017 08:21 AM, Noah Misch wrote:
Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with
his framing of the problem and provided two syntax alternatives,
On 10 April 2017 at 13:57, Craig Ringer wrote:
> On 10 April 2017 at 12:34, Michael Paquier wrote:
>
>> Attached is a patch to hopefully make the discussion progress. I
>> simply propose to use sasl as a keyword for pg_hba.conf, on the basis
>>
On 10 April 2017 at 12:34, Michael Paquier wrote:
> Attached is a patch to hopefully make the discussion progress. I
> simply propose to use sasl as a keyword for pg_hba.conf, on the basis
> that SASL is the protocol used, and scram is a mechanism used to
> achieve the
On Sat, Apr 8, 2017 at 9:28 AM, Robert Haas wrote:
> On Fri, Apr 7, 2017 at 6:32 PM, Michael Paquier
> wrote:
>> On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote:
>>> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas
On Fri, Apr 07, 2017 at 10:28:59AM +0300, Heikki Linnakangas wrote:
> On 04/07/2017 08:21 AM, Noah Misch wrote:
> >Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with
> >his framing of the problem and provided two syntax alternatives, on
> >2017-01-18. Michael
On Fri, Apr 7, 2017 at 6:32 PM, Michael Paquier
wrote:
> On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote:
>> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote:
>>> I think the "SCRAM" part is more important than
On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote:
> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote:
>> I think the "SCRAM" part is more important than "SHA-256", so -1 on that.
>
> I agree. The point here isn't that we're using a better hashing
On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote:
> I think the "SCRAM" part is more important than "SHA-256", so -1 on that.
I agree. The point here isn't that we're using a better hashing
method, even if a lot of people *think* that's the point. The point
is we're
On 07/04/17 11:05, Magnus Hagander wrote:
On Fri, Apr 7, 2017 at 9:59 AM, Heikki Linnakangas > wrote:
On 04/07/2017 10:38 AM, Magnus Hagander wrote:
So here's a wild idea. What if we just call it "sha256"? Does
the user
On Fri, Apr 7, 2017 at 9:59 AM, Heikki Linnakangas wrote:
> On 04/07/2017 10:38 AM, Magnus Hagander wrote:
>
>> So here's a wild idea. What if we just call it "sha256"? Does the user
>> actually care about it being scram, or is scram just an implementation
>> detail for them?
On 7 April 2017 at 15:59, Heikki Linnakangas wrote:
> On 04/07/2017 10:38 AM, Magnus Hagander wrote:
>> Not sure if it would be doable in the code, but we could also have:
>> host all all example.com scram method=sha256plus,sha256
>>
>> or something like that. Which would fit
On 04/07/2017 10:38 AM, Magnus Hagander wrote:
So here's a wild idea. What if we just call it "sha256"? Does the user
actually care about it being scram, or is scram just an implementation
detail for them? That way when the next one shows up, it'll be sha512 or
whatever. It happens to use scram
Jumping late into this one, apologies if these opinions have already been
up and discarded.
On Fri, Apr 7, 2017 at 9:28 AM, Heikki Linnakangas wrote:
> On 04/07/2017 08:21 AM, Noah Misch wrote:
>
>> On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote:
>>
>>> On
On 04/07/2017 08:21 AM, Noah Misch wrote:
On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote:
On 04/06/2017 08:36 AM, Noah Misch wrote:
On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote:
I didn't include the last-minute changes to the way you specify this in
On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote:
> On 04/06/2017 08:36 AM, Noah Misch wrote:
> >On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote:
> >>I didn't include the last-minute changes to the way you specify this in
> >>pg_hba.conf. So it's still just
On 04/06/2017 08:36 AM, Noah Misch wrote:
On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote:
I didn't include the last-minute changes to the way you specify this in
pg_hba.conf. So it's still just "scram". I agree in general that we should
think about how to extend that too,
On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote:
> I didn't include the last-minute changes to the way you specify this in
> pg_hba.conf. So it's still just "scram". I agree in general that we should
> think about how to extend that too, but I think the proposed syntax was
>
On Tue, Mar 7, 2017 at 4:36 AM, Heikki Linnakangas wrote:
> On 03/02/2017 08:50 AM, Michael Paquier wrote:
>
>> Attached is a new patch set. I have combined SASLprep with the rest
>> and fixed some conflicts. At the same time when going through NFKC
>> this morning I have
On Tue, Mar 7, 2017 at 9:36 PM, Heikki Linnakangas wrote:
> I've now committed the bulk of these patches. Many thanks to everyone
> involved, and especially you, Michael, for your persistence!
Thanks!
> There are a bunch of loose ends, like the SASLprep thing. But the core of
>
On 03/02/2017 08:50 AM, Michael Paquier wrote:
Attached is a new patch set. I have combined SASLprep with the rest
and fixed some conflicts. At the same time when going through NFKC
this morning I have noticed that the implementation was doing the
canonical decomposition and reordered the
On 02/20/2017 01:51 PM, Aleksander Alekseev wrote:
Currently I don't see any significant flaws in these patches. However I
would like to verify that implemented algorithms are compatible with
algorithms implemented by third party.
Yes, that's very important.
For instance, for user 'eax' and
On Mon, Mar 6, 2017 at 11:50 AM, Michael Paquier
wrote:
> On Fri, Mar 3, 2017 at 2:43 PM, Michael Paquier
> wrote:
>> I am attaching 0009 and 0010 that address those problems (pushed on
>> github as well) that can be applied on top of the
On Fri, Mar 3, 2017 at 2:43 PM, Michael Paquier
wrote:
> I am attaching 0009 and 0010 that address those problems (pushed on
> github as well) that can be applied on top of the latest set.
While doing more tests with my module able to do SASLprep, I have
noticed that
On Thu, Mar 2, 2017 at 9:13 PM, Kyotaro HORIGUCHI
wrote:
> I'm studying the normalization of Unicode so I apologize possible
> stupidity in advance.
>
> I looked into this and have some comments. Sorry for the random
> order.
Thanks, this needs a lot of
I'm studying the normalization of Unicode so I apologize possible
stupidity in advance.
At Thu, 2 Mar 2017 15:50:34 +0900, Michael Paquier
wrote in
> On Tue, Feb 21, 2017 at 9:53 AM, Michael Paquier
On Mon, Feb 20, 2017 at 9:41 PM, Aleksander Alekseev
wrote:
>> Speaking about flaws, it looks like there is a memory leak in
>> array_to_utf procedure - result is allocated twice.
Pushed a fix for this one on my branch.
> And a few more things I've noticed after a
And a few more things I've noticed after a closer look:
* build_client_first_message does not free `state->client_nonce` if
second malloc (for `buf`) fails
* same for `state->client_first_message_bare`
* ... and most other procedures declared in fe-auth-scram.c file
(see malloc and strdup
Speaking about flaws, it looks like there is a memory leak in
array_to_utf procedure - result is allocated twice.
On Mon, Feb 20, 2017 at 02:51:13PM +0300, Aleksander Alekseev wrote:
> Hi!
>
> Currently I don't see any significant flaws in these patches. However I
> would like to verify that
Hi!
Currently I don't see any significant flaws in these patches. However I
would like to verify that implemented algorithms are compatible with
algorithms implemented by third party.
For instance, for user 'eax' and password 'pass' I got the following
record in pg_authid:
```
scram-sha-256:
On Sun, Feb 19, 2017 at 10:07 PM, Michael Paquier
wrote:
> There is something that I think is still unwelcome in this patch: the
> interface in pg_hba.conf. I mentioned that in the previous thread but
> now if you want to match a user and a database with a scram
On Wed, Feb 15, 2017 at 8:28 PM, Heikki Linnakangas wrote:
> On 02/07/2017 04:20 AM, Michael Paquier wrote:
>> --- a/src/backend/utils/errcodes.txt
>> +++ b/src/backend/utils/errcodes.txt
>> @@ -247,6 +247,7 @@ Section: Class 28 - Invalid Authorization
>> Specification
>>
>>
On Sun, Feb 19, 2017 at 6:55 PM, Robert Haas wrote:
> Gosh, this SCRAM stuff seems to be taking us pretty deeply into
> dealing with encoding details which apparently we haven't formerly
> needed to worry about. That is a little surprising and maybe
> something we should
On Fri, Feb 17, 2017 at 7:29 PM, Michael Paquier
wrote:
> On Wed, Feb 15, 2017 at 9:27 PM, Michael Paquier
> wrote:
>> On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote:
>>> On 02/09/2017 09:33 AM, Michael Paquier
On Wed, Feb 15, 2017 at 9:27 PM, Michael Paquier
wrote:
> On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote:
>> On 02/09/2017 09:33 AM, Michael Paquier wrote:
>>> Now regarding the shape of the implementation for SCRAM, we need one
>>> thing: a
On Wed, Feb 15, 2017 at 8:28 PM, Heikki Linnakangas wrote:
> Ah, found it. It was because of this change:
>
> Having two error codes with the same SQLSTATE is not cool, and tripped the
> assertion in PL/python. I removed the new error code, it was only used in
> one place, and
On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote:
> On 02/09/2017 09:33 AM, Michael Paquier wrote:
>> Now regarding the shape of the implementation for SCRAM, we need one
>> thing: a set of routines in src/common/ to build decompositions for a
>> given UTF-8 string with
On 02/07/2017 04:20 AM, Michael Paquier wrote:
On Tue, Feb 7, 2017 at 3:12 AM, Aleksander Alekseev
wrote:
No, I'm afraid `make distclean` doesn't help. I've re-checked twice.
Hm. I can see the failure on macos and python2 builds as well with the
set of patches
On 02/09/2017 09:33 AM, Michael Paquier wrote:
On Tue, Feb 7, 2017 at 11:28 AM, Michael Paquier
wrote:
Yes, I am actively working on this one now. I am trying to come up
first with something in the shape of an extension to begin with, and
get a patch out of it. That
On Tue, Feb 7, 2017 at 11:28 AM, Michael Paquier
wrote:
> Yes, I am actively working on this one now. I am trying to come up
> first with something in the shape of an extension to begin with, and
> get a patch out of it. That will be more simple for testing. For now
>
On Mon, Feb 6, 2017 at 9:55 PM, Heikki Linnakangas wrote:
> I rebased the SCRAM authentication patches over current master. Here you
> are.
Thanks! Nice to see you around.
> So, if you haven't paid attention on this for a while, now would be a good
> time to have another look
On Tue, Feb 7, 2017 at 3:12 AM, Aleksander Alekseev
wrote:
> No, I'm afraid `make distclean` doesn't help. I've re-checked twice.
Hm. I can see the failure on macos and python2 builds as well with the
set of patches applied. And the master branch is working properly.
No, I'm afraid `make distclean` doesn't help. I've re-checked twice.
On Mon, Feb 06, 2017 at 12:52:11PM -0300, Alvaro Herrera wrote:
> Aleksander Alekseev wrote:
> > Hello.
> >
> > Good to know that the work on this great feature continues!
> >
> > However this set of patches does not pass
Aleksander Alekseev wrote:
> Hello.
>
> Good to know that the work on this great feature continues!
>
> However this set of patches does not pass `make check-world` on my
> laptop.
>
> Here is how I build and test PostgreSQL:
>
> https://github.com/afiskon/pgscripts/blob/master/full-build.sh
Hello.
Good to know that the work on this great feature continues!
However this set of patches does not pass `make check-world` on my
laptop.
Here is how I build and test PostgreSQL:
https://github.com/afiskon/pgscripts/blob/master/full-build.sh
Error message:
I rebased the SCRAM authentication patches over current master. Here you
are.
I'm trying to whack this into the final shape that it could actually be
committed. The previous thread on SCRAM authentication has grown
ridiculously long and meandered into all kinds of details, so I thought
it's
57 matches
Mail list logo