[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication
Aaron Zauner
azet at azet.org
Wed Mar 4 14:46:30 UTC 2015
Hi,
Stephen Frost wrote:
>
> PG supports client-side certificate based authentication which would be
> far better than any kind of password-based authentication. If password
> based auth is insisted upon then TLS to verify the server-side and
> protect the network connection would be good and remove the need for the
> challenge/response protocol and lead to 'password' being an acceptable
> option there, but that doesn't mean it'd be a good default for Debian,
> imv, because we *don't* require server-authenticated TLS, or TLS at all,
> currently. Further, I'm not convined that 'password' there would really
> be all that much better than 'md5' as, as has been discussed, if you
> have access to pg_authid then you have access to the PG data directory.
> Further, at that point, you've probably got access to the backend and
> with password-based auth the postmaster process will see the user's
> actual password.
>
> In the end, I think we might move to support SCRAM and simply deprecate
> md5 in favor of that rather than try to fix the current mechanism
> without breaking things because any such fix wouldn't be a serious
> improvement and would just mislead users into thinking it's safe.
>
> We're currently looking at getting SCRAM support by implementing SASL,
> but I'm worried that we'll then create a dependency on SASL that people
> won't be happy with and therefore I'm very curious about how difficult
> it'd be to implement proper SCRAM directly. Do you know if there is
> BSD-licensed code (PG is entirely BSD licensed) that implements SCRAM?
>
Just to put the idea out there; PGSQL currently links to OpenSSL for
TLS, right? TLS has support for SRP [0] [1]. This could be used for
password based authenticated TLS sessions without client certificates.
Might be less of a burden on users than deploying PKIX with
client-certificates while still providing proper security.
Aaron
[0] https://en.wikipedia.org/wiki/TLS-SRP
[1] http://www.ietf.org/rfc/rfc5054.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150304/9018ee9a/attachment.sig>
More information about the Pkg-postgresql-public
mailing list