On Sat, Feb 17, 2018 at 08:52:11AM -0800, Andres Freund wrote: > On 2018-02-17 11:39:57 -0500, Tom Lane wrote: > > pg_authid | rolpassword | text > > that seems not not to require one.
You can craft SCRAM verifiers that make it fail, which can be easily done using this module: https://github.com/michaelpq/pg_plugins/tree/master/scram_utils =# create extension scram_utils ; CREATE EXTENSION =# select scram_utils_verifier('your_role_name', 'foo', 100, 9000); ERROR: 54000: row is too big: size 12224, maximum size 8160 The third argument counts for the number of iterations to generate the proof and the fourth controls the salt length. Longer salts make it for harder to reproduce connection proofs, so some users may want to privilege that than the number of iterations, and those are perfectly valid per the SCRAM exchange protocol. There is another restriction which limits the size of authentication messages to 2000 in libpq, which we may actually want to relax in the future if we allow configurable in-core salt lengths to be created with a GUC. And other clients like jdbc don't have this restriction if I recall correctly. In short, removing this restriction at least on HEAD for the backend gives more flexibility. -- Michael
signature.asc
Description: PGP signature