pgcat icon indicating copy to clipboard operation
pgcat copied to clipboard

Published 20 hours ago verified publisher icon postgresml

Add support for client SCRAM authentication

Open levkk opened this issue 2 years ago • 6 comments

Is your feature request related to a problem? Please describe.

Postgres 14 switched the default password encryption and authentication method from Md5 to SCRAM-SHA-256. PgCat can authenticate to the servers using SCRAM, but it can't authenticate clients using SCRAM, only Md5. Client libraries still support Md5, but medium/long term Postgres is sure to remove that insecure authentication algorithm from libpq, so we need to add support for SCRAM for client auth as well.

Describe the solution you'd like Add support for client-initiated auth to scram.rs and add support for it in client.rs.

Describe alternatives you've considered There aren't any, this is a necessary change.

Additional context #253

levkk avatar Dec 13 '22 16:12 levkk

I'm connecting pgcat to readyset(using default config)

and get error Unsupported authentication mechanism: 3

is it something related to this issue?

DeoLeung avatar Jan 06 '23 07:01 DeoLeung 

AuthenticationCleartextPassword (B)

    Byte1('R')

        Identifies the message as an authentication request.
    Int32(8)

        Length of message contents in bytes, including self.
    Int32(3)

        Specifies that a clear-text password is required.

https://www.postgresql.org/docs/current/protocol-message-formats.html

That's not great, clear text authentication should not be used generally speaking. This has nothing to do with this issue. Pgcat does not implement clear text authentication for servers or clients.

levkk avatar Jan 06 '23 20:01 levkk

Seconding this; we'd switch from pgbouncer to pgcat if there was support for SCRAM passthrough

robert-sjoblom avatar Jun 19 '23 05:06 robert-sjoblom

That's not great, clear text authentication should not be used generally speaking.

"Cleartext" over authenticated TLS is actually more secure than md5 over authenticated TLS. Because of the way the protocol works the md5 hash becomes the effective password. This hash is then stored plaintext in the database, thus storing the effective password plaintext in the database. Cleartext + authenticated TLS + scram storage does not have this problem.

JelteF avatar Jun 19 '23 10:06 JelteF

Hi, I'm now evaluating RDS Proxy, PGbouncer, and pgcat. I see that SCRAM is still not supported. Any ETA to implement it ? Thanks!!

haizafrog avatar Jun 22 '23 14:06 haizafrog

Haven't had a chance to implement this yet. A PR is welcome.

levkk avatar Jun 22 '23 16:06 levkk