New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SASL/SCRAM-SHA-256 support for PostgreSQL 10 #1530

Closed
john2014 opened this Issue Apr 8, 2017 · 12 comments

Comments

Projects
None yet
4 participants
@john2014

john2014 commented Apr 8, 2017

Hi Roji, One of the new features added to Postgresql 10 is using SCRAM-SHA-256 authentication instead of the default (and less secure) MD5 authentication.

For users to be able to use this new authentication, the client driver has to support it. The blog post below has more details:
http://paquier.xyz/postgresql-2/postgres-10-scram-authentication/

This blog post has a good overview on all major upcoming features:

http://rhaas.blogspot.com/2017/04/new-features-coming-in-postgresql-10.html

BTW, does Npgsql have something similar to Pgbouncer built in?

@roji roji added this to the 3.3 milestone Apr 9, 2017

@roji

This comment has been minimized.

Member

roji commented Apr 9, 2017

@john2014 yeah, I've been following the discussion and work on this on pghackers - it's an exciting feature. It's definitely something important that needs to be done.

Unfortunately, a quick search doesn't yield any good, maintained SASL implementation for .NET. We could in theory include a native SASL implementation (e.g. Cyrus) but that should really be a last-resort solution. If anyone has any experience or would like to give a hand, that would be very welcome.

(and yes, Npgsql includes a high-performance internal connection pool which is on by default)

@roji

This comment has been minimized.

Member

roji commented Dec 30, 2017

It may be possible to do SCRAM with CryptSharp.

@CrazyAlex25

This comment has been minimized.

CrazyAlex25 commented Jan 5, 2018

MailKit have SCRAM implementation (used bouncycastle)

@roji

This comment has been minimized.

Member

roji commented Jan 5, 2018

@CrazyAlex25 thanks, this looks great. It looks like we could easily bring in their implementation into Npgsql...

@roji

This comment has been minimized.

Member

roji commented Jan 5, 2018

@CrazyAlex25 are you interested in working on a PR for this? Otherwise I can probably get around to it soon.

@CrazyAlex25

This comment has been minimized.

CrazyAlex25 commented Jan 5, 2018

I can extract the code, but I do not know how to prepare for implementation in this project. I have not figured out where this code will be called

@uhayat

This comment has been minimized.

Contributor

uhayat commented Jan 5, 2018

@roji last weekend I added SCRAM implementation for Postgres 10.Following is the commit that I pushed Today.
Implementation for SCRAM-SHA-256 for Postgresql 10
99% work is complete and it properly authenticate users with scram-sha-256 password. A bit of work is pending will try to cover tomorrow.

@roji

This comment has been minimized.

Member

roji commented Jan 6, 2018

@uhayat that's great to hear! I don't currently have time to look at your code, once you finish up please submit a PR and I'll review properly. Did you base your work on MailKit as @CrazyAlex25 suggested above or on something else?

@CrazyAlex25

This comment has been minimized.

CrazyAlex25 commented Jan 6, 2018

@roji Looking the code, I can tell that there own implementation SASL + System.Security.Cryptography.HMACSHA256. And it's good, because MailKit depends on bouncycastle

@uhayat

This comment has been minimized.

Contributor

uhayat commented Jan 6, 2018

@roji Created following pull request.
#1769
@roji @CrazyAlex25 , Yes work is not based on Mailkit or any other .NET implementation. Before implementing this thing, i went through number of implementations ( dotnet, java and native c ) , all of them had some dependencies that i tried to avoid ( e.g license , incompatible with postgresql implementation, or over complexity )

@roji roji removed the up for grabs label Jan 31, 2018

@roji

This comment has been minimized.

Member

roji commented Jan 31, 2018

Merged #1769, thanks @uhayat.

@roji roji closed this Jan 31, 2018

@roji roji changed the title from SCRAM support for Postgresql 10 to SASL/SCRAM-SHA-256 support for PostgreSQL 10 Feb 3, 2018

@roji roji modified the milestones: 3.3, 3.2.7 Feb 3, 2018

@roji

This comment has been minimized.

Member

roji commented Feb 3, 2018

Backported this for 3.2.7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment