Skip to content

Add support for client SCRAM authentication #255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
levkk opened this issue Dec 13, 2022 · 6 comments
Open

Add support for client SCRAM authentication #255

levkk opened this issue Dec 13, 2022 · 6 comments

Comments

@levkk
Copy link
Contributor

levkk commented Dec 13, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

Postgres 14 switched the default password encryption and authentication method from Md5 to SCRAM-SHA-256. PgCat can authenticate to the servers using SCRAM, but it can't authenticate clients using SCRAM, only Md5. Client libraries still support Md5, but medium/long term Postgres is sure to remove that insecure authentication algorithm from libpq, so we need to add support for SCRAM for client auth as well.

Describe the solution you'd like
Add support for client-initiated auth to scram.rs and add support for it in client.rs.

Describe alternatives you've considered
There aren't any, this is a necessary change.

Additional context
#253
@DeoLeung
Copy link

DeoLeung commented Jan 6, 2023

I'm connecting pgcat to readyset(using default config)

and get error Unsupported authentication mechanism: 3

is it something related to this issue?

@levkk
Copy link
Contributor Author

levkk commented Jan 6, 2023 

AuthenticationCleartextPassword (B)

    Byte1('R')

        Identifies the message as an authentication request.
    Int32(8)

        Length of message contents in bytes, including self.
    Int32(3)

        Specifies that a clear-text password is required.

https://www.postgresql.org/docs/current/protocol-message-formats.html

That's not great, clear text authentication should not be used generally speaking. This has nothing to do with this issue. Pgcat does not implement clear text authentication for servers or clients.

@DeoLeung DeoLeung mentioned this issue Jan 7, 2023
Closed
@robert-sjoblom
Copy link

Seconding this; we'd switch from pgbouncer to pgcat if there was support for SCRAM passthrough

@JelteF
Copy link

JelteF commented Jun 19, 2023

That's not great, clear text authentication should not be used generally speaking.

"Cleartext" over authenticated TLS is actually more secure than md5 over authenticated TLS. Because of the way the protocol works the md5 hash becomes the effective password. This hash is then stored plaintext in the database, thus storing the effective password plaintext in the database. Cleartext + authenticated TLS + scram storage does not have this problem.

@haizafrog
Copy link

Hi,
I'm now evaluating RDS Proxy, PGbouncer, and pgcat.
I see that SCRAM is still not supported. Any ETA to implement it ?
Thanks!!

@levkk
Copy link
Contributor Author

levkk commented Jun 22, 2023

Haven't had a chance to implement this yet. A PR is welcome.

@bendem bendem mentioned this issue Jun 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JelteF @DeoLeung @levkk @robert-sjoblom @haizafrog