Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgwire: path to supporting the md5 password authentication #73337

Open
knz opened this issue Dec 1, 2021 · 0 comments
Open

pgwire: path to supporting the md5 password authentication #73337

knz opened this issue Dec 1, 2021 · 0 comments
Labels
A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-server-and-security DB Server & Security X-anchored-telemetry The issue number is anchored by telemetry references.

Comments

@knz
Copy link
Contributor

knz commented Dec 1, 2021
edited by cockroach-jira-scripts
Loading

Suggested by @bdarnell in https://reviewable.io/reviews/cockroachdb/cockroach/72579#-MpDQFBW556WDFZOPJwW:-MplyXzV2tK4zGEmn4U8:b-ytyo6k

(I am not advocating for this, just mentioning it in case we want to soften the "never" language. I don't think it's
worth the effort since SCRAM #42519 is a better solution, but this would have been a reasonable option if md5
were the only non-plaintext password option in pgwire).

We could define a new storage format BCRYPT-MD5 (i.e. bcrypt(cost, md5(password))) and when the password is set using the input format password or MD5$hash we could compute and store the BCRYPT-MD5 encoding. That would let us support the pgwire md5 auth protocol in addition to plaintext (and as a bonus would be a first step to phasing out the hash-of-empty-string accident for new passwords).

Jira issue: CRDB-11549
@knz knz added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-sql-pgwire pgwire protocol issues. A-security labels Dec 1, 2021
@blathers-crl blathers-crl bot added the T-server-and-security DB Server & Security label Dec 1, 2021
@knz knz added the X-anchored-telemetry The issue number is anchored by telemetry references. label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-server-and-security DB Server & Security X-anchored-telemetry The issue number is anchored by telemetry references.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@knz