Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-02-02 Thread Heikki Linnakangas
On 02/02/2017 05:50 AM, David Rowley wrote: On 2 February 2017 at 00:13, Heikki Linnakangas wrote: Ok, I'll drop the second patch for now. I committed the first patch after fixing the things you and Michael pointed out. Thanks for the review! dbd69118 caused small compiler warning for me. Th

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-02-01 Thread David Rowley
On 2 February 2017 at 00:13, Heikki Linnakangas wrote: > Ok, I'll drop the second patch for now. I committed the first patch after > fixing the things you and Michael pointed out. Thanks for the review! dbd69118 caused small compiler warning for me. The attached fixed it. -- David Rowley

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-02-01 Thread Heikki Linnakangas
On 01/17/2017 11:51 PM, Peter Eisentraut wrote: On 1/3/17 9:09 AM, Heikki Linnakangas wrote: Since not everyone agrees with this approach, I split this patch into two. The first patch refactors things, replacing the isMD5() function with get_password_type(), without changing the representation o

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-17 Thread Peter Eisentraut
On 1/3/17 9:09 AM, Heikki Linnakangas wrote: > Since not everyone agrees with this approach, I split this patch into > two. The first patch refactors things, replacing the isMD5() function > with get_password_type(), without changing the representation of > pg_authid.rolpassword. That is hopeful

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-05 Thread Michael Paquier
On Thu, Jan 5, 2017 at 10:31 PM, Peter Eisentraut wrote: > On 1/3/17 9:09 AM, Heikki Linnakangas wrote: >> Since not everyone agrees with this approach, I split this patch into >> two. The first patch refactors things, replacing the isMD5() function >> with get_password_type(), without changing th

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-05 Thread Peter Eisentraut
On 1/3/17 9:09 AM, Heikki Linnakangas wrote: > Since not everyone agrees with this approach, I split this patch into > two. The first patch refactors things, replacing the isMD5() function > with get_password_type(), without changing the representation of > pg_authid.rolpassword. That is hopeful

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-03 Thread Michael Paquier
On Tue, Jan 3, 2017 at 11:09 PM, Heikki Linnakangas wrote: > Since not everyone agrees with this approach, I split this patch into two. > The first patch refactors things, replacing the isMD5() function with > get_password_type(), without changing the representation of > pg_authid.rolpassword. Tha

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-03 Thread Heikki Linnakangas
On 12/21/2016 04:09 AM, Michael Paquier wrote: Thanks for having a look! Attached is a new version, with that bug fixed. I have been able more advanced testing without the crash and things seem to work properly. The attached set of tests is also able to pass for all the combinations of hba conf

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2017-01-03 Thread Heikki Linnakangas
On 12/14/2016 01:33 PM, Heikki Linnakangas wrote: I just noticed that the manual for CREATE ROLE says: Note that older clients might lack support for the MD5 authentication mechanism that is needed to work with passwords that are stored encrypted. That's is incorrect. The alternative to MD5 a

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Michael Paquier
On Tue, Dec 20, 2016 at 9:23 PM, Heikki Linnakangas wrote: > On 12/16/2016 03:31 AM, Michael Paquier wrote: > Actually, it does still perform that check. There's a new function, > plain_crypt_verify, that passwordcheck uses now. plain_crypt_verify() is > intended to work with any future hash forma

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Stephen Frost
David, * David Fetter (da...@fetter.org) wrote: > On Tue, Dec 20, 2016 at 06:14:40PM -0500, Stephen Frost wrote: > > * David Fetter (da...@fetter.org) wrote: > > > On Tue, Dec 20, 2016 at 08:34:19AM -0500, Stephen Frost wrote: > > > > * Heikki Linnakangas (hlinn...@iki.fi) wrote: > > > > > Even if

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread David Fetter
On Tue, Dec 20, 2016 at 06:14:40PM -0500, Stephen Frost wrote: > David, > > * David Fetter (da...@fetter.org) wrote: > > On Tue, Dec 20, 2016 at 08:34:19AM -0500, Stephen Frost wrote: > > > * Heikki Linnakangas (hlinn...@iki.fi) wrote: > > > > Even if you have a separate "verifier type" column, it

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Stephen Frost
David, * David Fetter (da...@fetter.org) wrote: > On Tue, Dec 20, 2016 at 08:34:19AM -0500, Stephen Frost wrote: > > * Heikki Linnakangas (hlinn...@iki.fi) wrote: > > > Even if you have a separate "verifier type" column, it's not fully > > > normalized, because there's still a dependency between t

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Michael Paquier
On Wed, Dec 21, 2016 at 1:08 AM, David Fetter wrote: > Would a view that shows only what's to the left of the first semicolon > suit this purpose? Of course it would, you would just need to make the routines now checking the shape of MD5 and SCRAM identifiers available at SQL level and feed the s

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread David Fetter
On Tue, Dec 20, 2016 at 08:34:19AM -0500, Stephen Frost wrote: > Heikki, > > * Heikki Linnakangas (hlinn...@iki.fi) wrote: > > Even if you have a separate "verifier type" column, it's not fully > > normalized, because there's still a dependency between the > > verifier and verifier type columns. Y

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Stephen Frost
Heikki, * Heikki Linnakangas (hlinn...@iki.fi) wrote: > Even if you have a separate "verifier type" column, it's not fully > normalized, because there's still a dependency between the verifier > and verifier type columns. You will always need to look at the > verifier type to make sense of the ver

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Robert Haas
On Tue, Dec 20, 2016 at 6:37 AM, Heikki Linnakangas wrote: > It's more convenient to carry the type information with the verifier itself, > in backend code, in pg_dump, etc. Sure, you could have a separate "transfer" > text format that has the prefix, and strip it out when the datum enters the > s

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Heikki Linnakangas
On 12/16/2016 03:31 AM, Michael Paquier wrote: On Thu, Dec 15, 2016 at 9:48 PM, Heikki Linnakangas wrote: The only way to distinguish, is to know about every verifier kind there is, and check whether rolpassword looks valid as anything else than a plaintext password. And we already got tripped

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-20 Thread Heikki Linnakangas
On 12/16/2016 05:48 PM, Robert Haas wrote: On Thu, Dec 15, 2016 at 8:40 AM, Stephen Frost wrote: * Heikki Linnakangas (hlinn...@iki.fi) wrote: On 12/14/2016 04:57 PM, Stephen Frost wrote: * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: On 12/14/16 5:15 AM, Michael Paquier wrote:

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-19 Thread Robert Haas
On Sat, Dec 17, 2016 at 5:48 PM, Michael Paquier wrote: > On Sun, Dec 18, 2016 at 3:59 AM, Robert Haas wrote: >> On Fri, Dec 16, 2016 at 5:30 PM, Michael Paquier >> wrote: >>> From the discussions of last year on -hackers, it was decided to *not* >>> have an additional column per complains from

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-17 Thread Michael Paquier
On Sun, Dec 18, 2016 at 3:59 AM, Robert Haas wrote: > On Fri, Dec 16, 2016 at 5:30 PM, Michael Paquier > wrote: >> From the discussions of last year on -hackers, it was decided to *not* >> have an additional column per complains from a couple of hackers >> (Robert you were in this set at this poi

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-17 Thread Robert Haas
On Fri, Dec 16, 2016 at 5:30 PM, Michael Paquier wrote: > On Sat, Dec 17, 2016 at 5:42 AM, Stephen Frost wrote: >> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >>> On 12/15/16 8:40 AM, Stephen Frost wrote: >>> > I don't follow why we can't change the syntax for CREATE USER to allo

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Michael Paquier
On Sat, Dec 17, 2016 at 10:23 AM, Stephen Frost wrote: > * Michael Paquier (michael.paqu...@gmail.com) wrote: >> (Robert you were in this set at this point), and the same thing was >> concluded during the informal lunch meeting at PGcon. The point is, >> the existing SCRAM patch set can survive wi

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Stephen Frost
Michael, * Michael Paquier (michael.paqu...@gmail.com) wrote: > On Sat, Dec 17, 2016 at 5:42 AM, Stephen Frost wrote: > > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > >> On 12/15/16 8:40 AM, Stephen Frost wrote: > >> > I don't follow why we can't change the syntax for CREATE USE

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Michael Paquier
On Sat, Dec 17, 2016 at 5:42 AM, Stephen Frost wrote: > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 12/15/16 8:40 AM, Stephen Frost wrote: >> > I don't follow why we can't change the syntax for CREATE USER to allow >> > specifying the verifier type independently. >> >> That'

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Stephen Frost
* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 12/15/16 8:40 AM, Stephen Frost wrote: > > I don't follow why we can't change the syntax for CREATE USER to allow > > specifying the verifier type independently. > > That's what the last patch set I looked at actually does. Well, s

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Peter Eisentraut
On 12/15/16 8:40 AM, Stephen Frost wrote: > I don't follow why we can't change the syntax for CREATE USER to allow > specifying the verifier type independently. That's what the last patch set I looked at actually does. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Devel

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-16 Thread Robert Haas
On Thu, Dec 15, 2016 at 8:40 AM, Stephen Frost wrote: > * Heikki Linnakangas (hlinn...@iki.fi) wrote: >> On 12/14/2016 04:57 PM, Stephen Frost wrote: >> >* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> >>On 12/14/16 5:15 AM, Michael Paquier wrote: >> >>>I would be tempted to sugges

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-15 Thread Michael Paquier
On Thu, Dec 15, 2016 at 9:48 PM, Heikki Linnakangas wrote: > The only way to distinguish, is to know about every verifier kind there is, > and check whether rolpassword looks valid as anything else than a plaintext > password. And we already got tripped by a bug-of-omission on that once. If > we

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-15 Thread Stephen Frost
* Heikki Linnakangas (hlinn...@iki.fi) wrote: > On 12/14/2016 04:57 PM, Stephen Frost wrote: > >* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > >>On 12/14/16 5:15 AM, Michael Paquier wrote: > >>>I would be tempted to suggest adding the verifier type as a new column > >>>of pg_authid

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-15 Thread Heikki Linnakangas
On 12/15/2016 03:00 AM, Michael Paquier wrote: On Wed, Dec 14, 2016 at 8:33 PM, Heikki Linnakangas wrote: But, a password stored in plaintext works with either MD5 or SCRAM, or any future authentication mechanism. So as soon as we have SCRAM authentication, it becomes somewhat useful again. In

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-15 Thread Heikki Linnakangas
On 12/14/2016 04:57 PM, Stephen Frost wrote: * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: On 12/14/16 5:15 AM, Michael Paquier wrote: I would be tempted to suggest adding the verifier type as a new column of pg_authid Yes please. This discussion seems to continue to come up

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Michael Paquier
On Wed, Dec 14, 2016 at 8:33 PM, Heikki Linnakangas wrote: > But, a password stored in plaintext works with either MD5 or SCRAM, or any > future authentication mechanism. So as soon as we have SCRAM authentication, > it becomes somewhat useful again. > > In a nutshell: > > auth / stored MD5

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Joshua D. Drake
On 12/14/2016 11:41 AM, Stephen Frost wrote: * Heikki Linnakangas (hlinn...@iki.fi) wrote: On 14 December 2016 20:12:05 EET, Bruce Momjian wrote: On Wed, Dec 14, 2016 at 11:27:15AM +0100, Magnus Hagander wrote: Storing plaintext passwords has been bad form for just about forever and I would

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Stephen Frost
* Heikki Linnakangas (hlinn...@iki.fi) wrote: > On 14 December 2016 20:12:05 EET, Bruce Momjian wrote: > >On Wed, Dec 14, 2016 at 11:27:15AM +0100, Magnus Hagander wrote: > >> I would so like to just drop support for plain passwords completely > >:) But > >> there's a backwards compatibility issue

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Heikki Linnakangas
On 14 December 2016 20:12:05 EET, Bruce Momjian wrote: >On Wed, Dec 14, 2016 at 11:27:15AM +0100, Magnus Hagander wrote: >> I would so like to just drop support for plain passwords completely >:) But >> there's a backwards compatibility issue to think about of course. >> >> But -- is there any

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Bruce Momjian
On Wed, Dec 14, 2016 at 11:27:15AM +0100, Magnus Hagander wrote: > I would so like to just drop support for plain passwords completely :) But > there's a backwards compatibility issue to think about of course. > > But -- is there any actual usecase for them anymore? I thought we recommended 'pass

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Stephen Frost
* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 12/14/16 5:15 AM, Michael Paquier wrote: > > I would be tempted to suggest adding the verifier type as a new column > > of pg_authid > > Yes please. This discussion seems to continue to come up and I don't entirely understand why w

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Peter Eisentraut
On 12/14/16 5:15 AM, Michael Paquier wrote: > I would be tempted to suggest adding the verifier type as a new column > of pg_authid Yes please. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Heikki Linnakangas
On 12/14/2016 12:27 PM, Magnus Hagander wrote: I would so like to just drop support for plain passwords completely :) But there's a backwards compatibility issue to think about of course. But -- is there any actual usecase for them anymore? Hmm. At the moment, I don't think there is. But, a p

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Heikki Linnakangas
On 12/14/2016 12:15 PM, Michael Paquier wrote: This work is definitely something that should be done before anything else. Need a patch or are you on it? I'm on it.. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://w

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Magnus Hagander
On Wed, Dec 14, 2016 at 9:51 AM, Heikki Linnakangas wrote: > On 12/09/2016 10:19 AM, Michael Paquier wrote: > >> On Fri, Dec 9, 2016 at 5:11 PM, Heikki Linnakangas >> wrote: >> >>> Couple of things I should write down before I forget: >>> >>> 1. It's a bit cumbersome that the scram verifiers sto

Re: pg_authid.rolpassword format (was Re: [HACKERS] Password identifiers, protocol aging and SCRAM protocol)

2016-12-14 Thread Michael Paquier
On Wed, Dec 14, 2016 at 5:51 PM, Heikki Linnakangas wrote: > The tip of the work branch can now do SCRAM authentication, when a user has > a plaintext password in pg_authid.rolpassword. The reverse doesn't work, > however: you cannot do plain "password" authentication, when the user has a > SCRAM