Skip to content

pgwire: path to supporting the md5 password authentication #73337

Open
Open
pgwire: path to supporting the md5 password authentication#73337
Labels
A-securityA-sql-pgwirepgwire protocol issues.C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-server-and-securityDB Server & SecurityX-anchored-telemetryThe issue number is anchored by telemetry references.
@knz

Description

@knz
knz
opened on Dec 1, 2021

Suggested by @bdarnell in https://reviewable.io/reviews/cockroachdb/cockroach/72579#-MpDQFBW556WDFZOPJwW:-MplyXzV2tK4zGEmn4U8:b-ytyo6k

(I am not advocating for this, just mentioning it in case we want to soften the "never" language. I don't think it's
worth the effort since SCRAM #42519 is a better solution, but this would have been a reasonable option if md5
were the only non-plaintext password option in pgwire).

We could define a new storage format BCRYPT-MD5 (i.e. bcrypt(cost, md5(password))) and when the password is set using the input format password or MD5$hash we could compute and store the BCRYPT-MD5 encoding. That would let us support the pgwire md5 auth protocol in addition to plaintext (and as a bonus would be a first step to phasing out the hash-of-empty-string accident for new passwords).

Jira issue: CRDB-11549

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-securityA-sql-pgwirepgwire protocol issues.C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-server-and-securityDB Server & SecurityX-anchored-telemetryThe issue number is anchored by telemetry references.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions