add support for scram-sha-256 with channel binding #101
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jeremybusk
approved these changes
Jan 18, 2021
Setting password_encryption to scram-sha-256 in postgresql.conf will
encrypt the password with SCRAM-SHA-256. The default is md5, which will
encrypt the password with MD5.
If the password was encrypted with SCRAM-SHA-256 in postgres (by
setting password_enc56 in postgresql.conf), then postgres clients can
authenticate to the postgres server by setting the ff the password was
encrypted with SCRAM-SHA-256 in postgres (by setting
password_encryption to scram-sha-256 in postgresql.conf), then postgres
cl ients can authenticate to the postgres server by setting the
authentication method specification to scram-sha-256 in pg_hba.conf.
The problem is that the pgmoon client doesn't support the SCRAM-SHA-256
authentication method. So the postgres server supports SCRAM-SHA-256,
but the client doesn't. If the password is encrypted with SCRAM-SHA-256
(by setting password_encryption to scram-sha-256 in postgresql.conf)
and if the postgres method authentication is set to SCRAM-SHA-256 (by
setting the authentication method specification to scram-sha-256 in
pg_hba.conf) then pgmoon won't be able to authenticate to postgres
because the password will be sent as SCRAM-SHA-256 encrypted and not
MD5 or plaintext (the ones supported by pgmoon).
Here we are implementing the client-side support for SCRAM-SHA-256 as
defined by [3]. Per the postgres docs [2] only SASL is supported as per
the RFC 7677 [3]. So the client implementation should be conformant to
that RFC only, not for the HTTP version of SCRAM-SHA-256 (RFC 7804).
Implementation details:
- Support for channel binding is implemented as per RFC 5929 [4]
* Only 'tls-server-end-point' is implemented because it's the only
channel binding type used by postgres
* Requires LuaSec release >= v1.0 for socket type `luasocket`
* Requires lua-resty-openssl release >= 0.6.10 for socket type `nginx`
- There is no support for authzid since postgres doesn't support it [1]
- Right now we are relying on luaossl to provide all the crypto things
such as HMAC, PBKDF2, SHA-256 hash function, random bytes generation,
etc. It would be nice if in the future we create a compatibility
layer to use both the luaossl and resty-openssl libraries for this
purpose
[1] https://github.com/postgres/postgres/blob/REL_13_1/src/backend/libpq/auth-scram.c#L1011-L1013
[2] https://www.postgresql.org/docs/13/auth-password.html
[3] https://www.rfcreader.com/#rfc7677
[4] https://www.rfcreader.com/#rfc5929
|
Sorry this hasn't been merged yet, the source code changes are in Lua, but this repository is written in MoonScript, so someone will have to port the code before the changes can be merged. I'm willing to do that, but I just haven't had time yet. |
|
Hello. Is it possible to merge these commits for being able to use in updated kong. Thanks. |
|
+1 |
Closed
leafo
added a commit
that referenced
this pull request
Oct 13, 2021
leafo
added a commit
that referenced
this pull request
Oct 13, 2021
|
This has been rewritten into MoonScript with some minor changes and merged into master. Thanks for the contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
add support for scram-sha-256 with channel binding
Setting password_encryption to scram-sha-256 in postgresql.conf will
encrypt the password with SCRAM-SHA-256. The default is md5, which will
encrypt the password with MD5.
If the password was encrypted with SCRAM-SHA-256 in postgres (by
setting password_enc56 in postgresql.conf), then postgres clients can
authenticate to the postgres server by setting the ff the password was
encrypted with SCRAM-SHA-256 in postgres (by setting
password_encryption to scram-sha-256 in postgresql.conf), then postgres
cl ients can authenticate to the postgres server by setting the
authentication method specification to scram-sha-256 in pg_hba.conf.
The problem is that the pgmoon client doesn't support the SCRAM-SHA-256
authentication method. So the postgres server supports SCRAM-SHA-256,
but the client doesn't. If the password is encrypted with SCRAM-SHA-256
(by setting password_encryption to scram-sha-256 in postgresql.conf)
and if the postgres method authentication is set to SCRAM-SHA-256 (by
setting the authentication method specification to scram-sha-256 in
pg_hba.conf) then pgmoon won't be able to authenticate to postgres
because the password will be sent as SCRAM-SHA-256 encrypted and not
MD5 or plaintext (the ones supported by pgmoon).
Here we are implementing the client-side support for SCRAM-SHA-256 as
defined by [3]. Per the postgres docs [2] only SASL is supported as per
the RFC 7677 [3]. So the client implementation should be conformant to
that RFC only, not for the HTTP version of SCRAM-SHA-256 (RFC 7804).
Implementation details:
channel binding type used by postgres
luasocketnginxsuch as HMAC, PBKDF2, SHA-256 hash function, random bytes generation,
etc. It would be nice if in the future we create a compatibility
layer to use both the luaossl and resty-openssl libraries for this
purpose
[1] https://github.com/postgres/postgres/blob/REL_13_1/src/backend/libpq/auth-scram.c#L1011-L1013
[2] https://www.postgresql.org/docs/13/auth-password.html
[3] https://www.rfcreader.com/#rfc7677
[4] https://www.rfcreader.com/#rfc5929