On Sun, Feb 19, 2017 at 10:07 PM, Michael Paquier <michael.paqu...@gmail.com> wrote: > There is something that I think is still unwelcome in this patch: the > interface in pg_hba.conf. I mentioned that in the previous thread but > now if you want to match a user and a database with a scram password > you need to do that with the current set of patches: > local $dbname $user scram > That's not really portable as SCRAM is one protocol in the SASL > family, and even worse in our case we use SCRAM-SHA-256. I'd like to > change pg_hba.conf to be as follows: > local $dbname $user sasl protocol=scram_sha_256 > This is extensible for the future, and protocol is a mandatory option > that would have now just a single value: scram_sha_256. Heikki, > others, are you fine with that?
I have implemented that as 0009 which is attached, and need to be applied on the rest of upthread. I am not sure if we want to make the case where no protocol is specified map to everything. This would be a tricky support for users in the future if new authentication mechanisms for SASL are added in the future. Another issue that I have is: do we really want to have password_encryption being set to "scram" for verifiers of SCRAM-SHA-256? I would think that scram_sha_256 makes the most sense. Who knows, perhaps there could be in a couple of years a SHA-SHA-512.. At the same time, attached is a new version of 0008 that implements SASLprep, I have stabilized the beast after fixing some allocation calculations when converting the decomposed pg_wchar array back to a utf8 string. -- Michael
0009-Make-hba-configuration-for-SASL-more-extensible.patch
Description: Binary data
0008-Implement-SASLprep-aka-NFKC-for-SCRAM-authentication.patch.gz
Description: GNU Zip compressed data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers