Re: [HACKERS] SCRAM authentication, take three

On 05/02/2017 09:57 PM, Robert Haas wrote: Does db_user_namespace work with SCRAM? Yes. Haven't tested it, come to think of it, but it should work. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription:

Re: [HACKERS] SCRAM authentication, take three

On Tue, Apr 18, 2017 at 7:58 AM, Magnus Hagander wrote: >> Yeah, that would be reasonable. It can't be called just "password", >> though, because there's no way to implement "password-or-md5-or-scram" in a >> sensible way (see my reply to Simon at [1]). Unless we remove the

Re: [HACKERS] SCRAM authentication, take three

On Tue, Apr 18, 2017 at 1:52 PM, Heikki Linnakangas wrote: > On 04/14/2017 10:33 PM, Peter Eisentraut wrote: > >> On 4/11/17 01:10, Heikki Linnakangas wrote: >> >>> That question won't arise in practice. Firstly, if the server can do >>> scram-sha-256-plus, it presumably can

Re: [HACKERS] SCRAM authentication, take three

On 04/14/2017 10:33 PM, Peter Eisentraut wrote: On 4/11/17 01:10, Heikki Linnakangas wrote: That question won't arise in practice. Firstly, if the server can do scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless there's a change in the way the channel binding works, such

Re: [HACKERS] SCRAM authentication, take three

On 16 April 2017 07:14:21 EEST, Noah Misch wrote: >This PostgreSQL 10 open item is past due for your status update. >Kindly send >a status update within 24 hours, and include a date for your subsequent >status >update. I will pick this up on Tuesday. The consensus seems

Re: [HACKERS] SCRAM authentication, take three

On Wed, Apr 12, 2017 at 02:33:27AM -0400, Noah Misch wrote: > On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote: > > On 04/11/2017 04:52 AM, Peter Eisentraut wrote: > > >On 4/10/17 04:27, Heikki Linnakangas wrote: > > >>One thing to consider is that we just made the decision that

Re: [HACKERS] SCRAM authentication, take three

On 4/11/17 01:10, Heikki Linnakangas wrote: > That question won't arise in practice. Firstly, if the server can do > scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless > there's a change in the way the channel binding works, such that the > scram-sha-512-plus variant needs

Re: [HACKERS] SCRAM authentication, take three

On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote: > On 04/11/2017 04:52 AM, Peter Eisentraut wrote: > >On 4/10/17 04:27, Heikki Linnakangas wrote: > >>One thing to consider is that we just made the decision that "md5" > >>actually means "md5 or scram-sha-256". Extrapolating from

Re: [HACKERS] SCRAM authentication, take three

On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote: > On 04/11/2017 04:52 AM, Peter Eisentraut wrote: > Good question. We would need to decide the order of preference for those. > > That question won't arise in practice. Firstly, if the server can do > scram-sha-256-plus, it

Re: [HACKERS] SCRAM authentication, take three

On 04/11/2017 04:52 AM, Peter Eisentraut wrote: On 4/10/17 04:27, Heikki Linnakangas wrote: One thing to consider is that we just made the decision that "md5" actually means "md5 or scram-sha-256". Extrapolating from that, I think we'll want "scram-sha-256" to mean "scram-sha-256 or

Re: [HACKERS] SCRAM authentication, take three

On 4/10/17 04:27, Heikki Linnakangas wrote: > One thing to consider is that we just made the decision that "md5" > actually means "md5 or scram-sha-256". Extrapolating from that, I think > we'll want "scram-sha-256" to mean "scram-sha-256 or scram-sha-256-plus" > (i.e. the channel-bonding

Re: [HACKERS] SCRAM authentication, take three

On 4/9/17 19:19, Noah Misch wrote: > These are the two chief approaches I'm seeing: > > 1. scram-sha-256, scram-sha-256-plus, and successors will be their own >pg_hba.conf authentication methods. Until and unless someone implements an >ability to name multiple methods per HBA line, you

Re: [HACKERS] SCRAM authentication, take three

On 04/10/2017 02:19 AM, Noah Misch wrote: On Fri, Apr 07, 2017 at 10:28:59AM +0300, Heikki Linnakangas wrote: On 04/07/2017 08:21 AM, Noah Misch wrote: Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with his framing of the problem and provided two syntax alternatives,

Re: [HACKERS] SCRAM authentication, take three

On 10 April 2017 at 13:57, Craig Ringer wrote: > On 10 April 2017 at 12:34, Michael Paquier wrote: > >> Attached is a patch to hopefully make the discussion progress. I >> simply propose to use sasl as a keyword for pg_hba.conf, on the basis >>

Re: [HACKERS] SCRAM authentication, take three

On 10 April 2017 at 12:34, Michael Paquier wrote: > Attached is a patch to hopefully make the discussion progress. I > simply propose to use sasl as a keyword for pg_hba.conf, on the basis > that SASL is the protocol used, and scram is a mechanism used to > achieve the

Re: [HACKERS] SCRAM authentication, take three

On Sat, Apr 8, 2017 at 9:28 AM, Robert Haas wrote: > On Fri, Apr 7, 2017 at 6:32 PM, Michael Paquier > wrote: >> On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote: >>> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas

Re: [HACKERS] SCRAM authentication, take three

On Fri, Apr 07, 2017 at 10:28:59AM +0300, Heikki Linnakangas wrote: > On 04/07/2017 08:21 AM, Noah Misch wrote: > >Michael shared[1] better pg_hba.conf syntax on 2016-11-05. I agreed[2] with > >his framing of the problem and provided two syntax alternatives, on > >2017-01-18. Michael

Re: [HACKERS] SCRAM authentication, take three

On Fri, Apr 7, 2017 at 6:32 PM, Michael Paquier wrote: > On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote: >> On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote: >>> I think the "SCRAM" part is more important than

Re: [HACKERS] SCRAM authentication, take three

On Sat, Apr 8, 2017 at 1:59 AM, Robert Haas wrote: > On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote: >> I think the "SCRAM" part is more important than "SHA-256", so -1 on that. > > I agree. The point here isn't that we're using a better hashing

Re: [HACKERS] SCRAM authentication, take three

On Fri, Apr 7, 2017 at 3:59 AM, Heikki Linnakangas wrote: > I think the "SCRAM" part is more important than "SHA-256", so -1 on that. I agree. The point here isn't that we're using a better hashing method, even if a lot of people *think* that's the point. The point is we're

Re: [HACKERS] SCRAM authentication, take three

On 07/04/17 11:05, Magnus Hagander wrote: On Fri, Apr 7, 2017 at 9:59 AM, Heikki Linnakangas > wrote: On 04/07/2017 10:38 AM, Magnus Hagander wrote: So here's a wild idea. What if we just call it "sha256"? Does the user

Re: [HACKERS] SCRAM authentication, take three

On Fri, Apr 7, 2017 at 9:59 AM, Heikki Linnakangas wrote: > On 04/07/2017 10:38 AM, Magnus Hagander wrote: > >> So here's a wild idea. What if we just call it "sha256"? Does the user >> actually care about it being scram, or is scram just an implementation >> detail for them?

Re: [HACKERS] SCRAM authentication, take three

On 7 April 2017 at 15:59, Heikki Linnakangas wrote: > On 04/07/2017 10:38 AM, Magnus Hagander wrote: >> Not sure if it would be doable in the code, but we could also have: >> host all all example.com scram method=sha256plus,sha256 >> >> or something like that. Which would fit

Re: [HACKERS] SCRAM authentication, take three

On 04/07/2017 10:38 AM, Magnus Hagander wrote: So here's a wild idea. What if we just call it "sha256"? Does the user actually care about it being scram, or is scram just an implementation detail for them? That way when the next one shows up, it'll be sha512 or whatever. It happens to use scram

Re: [HACKERS] SCRAM authentication, take three

Jumping late into this one, apologies if these opinions have already been up and discarded. On Fri, Apr 7, 2017 at 9:28 AM, Heikki Linnakangas wrote: > On 04/07/2017 08:21 AM, Noah Misch wrote: > >> On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote: >> >>> On

Re: [HACKERS] SCRAM authentication, take three

On 04/07/2017 08:21 AM, Noah Misch wrote: On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote: On 04/06/2017 08:36 AM, Noah Misch wrote: On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote: I didn't include the last-minute changes to the way you specify this in

Re: [HACKERS] SCRAM authentication, take three

On Thu, Apr 06, 2017 at 09:46:29PM +0300, Heikki Linnakangas wrote: > On 04/06/2017 08:36 AM, Noah Misch wrote: > >On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote: > >>I didn't include the last-minute changes to the way you specify this in > >>pg_hba.conf. So it's still just

Re: [HACKERS] SCRAM authentication, take three

On 04/06/2017 08:36 AM, Noah Misch wrote: On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote: I didn't include the last-minute changes to the way you specify this in pg_hba.conf. So it's still just "scram". I agree in general that we should think about how to extend that too,

Re: [HACKERS] SCRAM authentication, take three

On Tue, Mar 07, 2017 at 02:36:13PM +0200, Heikki Linnakangas wrote: > I didn't include the last-minute changes to the way you specify this in > pg_hba.conf. So it's still just "scram". I agree in general that we should > think about how to extend that too, but I think the proposed syntax was >

Re: [HACKERS] SCRAM authentication, take three

On Tue, Mar 7, 2017 at 4:36 AM, Heikki Linnakangas wrote: > On 03/02/2017 08:50 AM, Michael Paquier wrote: > >> Attached is a new patch set. I have combined SASLprep with the rest >> and fixed some conflicts. At the same time when going through NFKC >> this morning I have

Re: [HACKERS] SCRAM authentication, take three

On Tue, Mar 7, 2017 at 9:36 PM, Heikki Linnakangas wrote: > I've now committed the bulk of these patches. Many thanks to everyone > involved, and especially you, Michael, for your persistence! Thanks! > There are a bunch of loose ends, like the SASLprep thing. But the core of >

Re: [HACKERS] SCRAM authentication, take three

On 03/02/2017 08:50 AM, Michael Paquier wrote: Attached is a new patch set. I have combined SASLprep with the rest and fixed some conflicts. At the same time when going through NFKC this morning I have noticed that the implementation was doing the canonical decomposition and reordered the

Re: [HACKERS] SCRAM authentication, take three

On 02/20/2017 01:51 PM, Aleksander Alekseev wrote: Currently I don't see any significant flaws in these patches. However I would like to verify that implemented algorithms are compatible with algorithms implemented by third party. Yes, that's very important. For instance, for user 'eax' and

Re: [HACKERS] SCRAM authentication, take three

On Mon, Mar 6, 2017 at 11:50 AM, Michael Paquier wrote: > On Fri, Mar 3, 2017 at 2:43 PM, Michael Paquier > wrote: >> I am attaching 0009 and 0010 that address those problems (pushed on >> github as well) that can be applied on top of the

Re: [HACKERS] SCRAM authentication, take three

On Fri, Mar 3, 2017 at 2:43 PM, Michael Paquier wrote: > I am attaching 0009 and 0010 that address those problems (pushed on > github as well) that can be applied on top of the latest set. While doing more tests with my module able to do SASLprep, I have noticed that

Re: [HACKERS] SCRAM authentication, take three

On Thu, Mar 2, 2017 at 9:13 PM, Kyotaro HORIGUCHI wrote: > I'm studying the normalization of Unicode so I apologize possible > stupidity in advance. > > I looked into this and have some comments. Sorry for the random > order. Thanks, this needs a lot of

Re: [HACKERS] SCRAM authentication, take three

I'm studying the normalization of Unicode so I apologize possible stupidity in advance. At Thu, 2 Mar 2017 15:50:34 +0900, Michael Paquier wrote in > On Tue, Feb 21, 2017 at 9:53 AM, Michael Paquier

Re: [HACKERS] SCRAM authentication, take three

On Mon, Feb 20, 2017 at 9:41 PM, Aleksander Alekseev wrote: >> Speaking about flaws, it looks like there is a memory leak in >> array_to_utf procedure - result is allocated twice. Pushed a fix for this one on my branch. > And a few more things I've noticed after a

Re: [HACKERS] SCRAM authentication, take three

And a few more things I've noticed after a closer look: * build_client_first_message does not free `state->client_nonce` if second malloc (for `buf`) fails * same for `state->client_first_message_bare` * ... and most other procedures declared in fe-auth-scram.c file (see malloc and strdup

Re: [HACKERS] SCRAM authentication, take three

Speaking about flaws, it looks like there is a memory leak in array_to_utf procedure - result is allocated twice. On Mon, Feb 20, 2017 at 02:51:13PM +0300, Aleksander Alekseev wrote: > Hi! > > Currently I don't see any significant flaws in these patches. However I > would like to verify that

Re: [HACKERS] SCRAM authentication, take three

Hi! Currently I don't see any significant flaws in these patches. However I would like to verify that implemented algorithms are compatible with algorithms implemented by third party. For instance, for user 'eax' and password 'pass' I got the following record in pg_authid: ``` scram-sha-256:

Re: [HACKERS] SCRAM authentication, take three

On Sun, Feb 19, 2017 at 10:07 PM, Michael Paquier wrote: > There is something that I think is still unwelcome in this patch: the > interface in pg_hba.conf. I mentioned that in the previous thread but > now if you want to match a user and a database with a scram

Re: [HACKERS] SCRAM authentication, take three

On Wed, Feb 15, 2017 at 8:28 PM, Heikki Linnakangas wrote: > On 02/07/2017 04:20 AM, Michael Paquier wrote: >> --- a/src/backend/utils/errcodes.txt >> +++ b/src/backend/utils/errcodes.txt >> @@ -247,6 +247,7 @@ Section: Class 28 - Invalid Authorization >> Specification >> >>

Re: [HACKERS] SCRAM authentication, take three

On Sun, Feb 19, 2017 at 6:55 PM, Robert Haas wrote: > Gosh, this SCRAM stuff seems to be taking us pretty deeply into > dealing with encoding details which apparently we haven't formerly > needed to worry about. That is a little surprising and maybe > something we should

Re: [HACKERS] SCRAM authentication, take three

On Fri, Feb 17, 2017 at 7:29 PM, Michael Paquier wrote: > On Wed, Feb 15, 2017 at 9:27 PM, Michael Paquier > wrote: >> On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote: >>> On 02/09/2017 09:33 AM, Michael Paquier

Re: [HACKERS] SCRAM authentication, take three

On Wed, Feb 15, 2017 at 9:27 PM, Michael Paquier wrote: > On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote: >> On 02/09/2017 09:33 AM, Michael Paquier wrote: >>> Now regarding the shape of the implementation for SCRAM, we need one >>> thing: a

Re: [HACKERS] SCRAM authentication, take three

On Wed, Feb 15, 2017 at 8:28 PM, Heikki Linnakangas wrote: > Ah, found it. It was because of this change: > > Having two error codes with the same SQLSTATE is not cool, and tripped the > assertion in PL/python. I removed the new error code, it was only used in > one place, and

Re: [HACKERS] SCRAM authentication, take three

On Wed, Feb 15, 2017 at 7:58 PM, Heikki Linnakangas wrote: > On 02/09/2017 09:33 AM, Michael Paquier wrote: >> Now regarding the shape of the implementation for SCRAM, we need one >> thing: a set of routines in src/common/ to build decompositions for a >> given UTF-8 string with

Re: [HACKERS] SCRAM authentication, take three

On 02/07/2017 04:20 AM, Michael Paquier wrote: On Tue, Feb 7, 2017 at 3:12 AM, Aleksander Alekseev wrote: No, I'm afraid `make distclean` doesn't help. I've re-checked twice. Hm. I can see the failure on macos and python2 builds as well with the set of patches

Re: [HACKERS] SCRAM authentication, take three

On 02/09/2017 09:33 AM, Michael Paquier wrote: On Tue, Feb 7, 2017 at 11:28 AM, Michael Paquier wrote: Yes, I am actively working on this one now. I am trying to come up first with something in the shape of an extension to begin with, and get a patch out of it. That

Re: [HACKERS] SCRAM authentication, take three

On Tue, Feb 7, 2017 at 11:28 AM, Michael Paquier wrote: > Yes, I am actively working on this one now. I am trying to come up > first with something in the shape of an extension to begin with, and > get a patch out of it. That will be more simple for testing. For now >

Re: [HACKERS] SCRAM authentication, take three

On Mon, Feb 6, 2017 at 9:55 PM, Heikki Linnakangas wrote: > I rebased the SCRAM authentication patches over current master. Here you > are. Thanks! Nice to see you around. > So, if you haven't paid attention on this for a while, now would be a good > time to have another look

Re: [HACKERS] SCRAM authentication, take three

On Tue, Feb 7, 2017 at 3:12 AM, Aleksander Alekseev wrote: > No, I'm afraid `make distclean` doesn't help. I've re-checked twice. Hm. I can see the failure on macos and python2 builds as well with the set of patches applied. And the master branch is working properly.

Re: [HACKERS] SCRAM authentication, take three

No, I'm afraid `make distclean` doesn't help. I've re-checked twice. On Mon, Feb 06, 2017 at 12:52:11PM -0300, Alvaro Herrera wrote: > Aleksander Alekseev wrote: > > Hello. > > > > Good to know that the work on this great feature continues! > > > > However this set of patches does not pass

Re: [HACKERS] SCRAM authentication, take three

Aleksander Alekseev wrote: > Hello. > > Good to know that the work on this great feature continues! > > However this set of patches does not pass `make check-world` on my > laptop. > > Here is how I build and test PostgreSQL: > > https://github.com/afiskon/pgscripts/blob/master/full-build.sh

Re: [HACKERS] SCRAM authentication, take three

Hello. Good to know that the work on this great feature continues! However this set of patches does not pass `make check-world` on my laptop. Here is how I build and test PostgreSQL: https://github.com/afiskon/pgscripts/blob/master/full-build.sh Error message:

[HACKERS] SCRAM authentication, take three

I rebased the SCRAM authentication patches over current master. Here you are. I'm trying to whack this into the final shape that it could actually be committed. The previous thread on SCRAM authentication has grown ridiculously long and meandered into all kinds of details, so I thought it's