Add support for client SCRAM authentication

Question

Add support for client SCRAM authentication

Opened this issue 2 years ago · 6 comments

Is your feature request related to a problem? Please describe.

Postgres 14 switched the default password encryption and authentication method from Md5 to SCRAM-SHA-256. PgCat can authenticate to the servers using SCRAM, but it can't authenticate clients using SCRAM, only Md5. Client libraries still support Md5, but medium/long term Postgres is sure to remove that insecure authentication algorithm from libpq, so we need to add support for SCRAM for client auth as well.

Describe the solution you'd like
Add support for client-initiated auth to scram.rs and add support for it in client.rs.

Describe alternatives you've considered
There aren't any, this is a necessary change.

Additional context
#253

Answer 1 · 2023-01-06T07:15:35.000Z

I'm connecting pgcat to readyset(using default config)

and get error Unsupported authentication mechanism: 3

is it something related to this issue?

Answer 2 · 2023-01-06T20:33:10.000Z

AuthenticationCleartextPassword (B)

    Byte1('R')

        Identifies the message as an authentication request.
    Int32(8)

        Length of message contents in bytes, including self.
    Int32(3)

        Specifies that a clear-text password is required.

https://www.postgresql.org/docs/current/protocol-message-formats.html

That's not great, clear text authentication should not be used generally speaking. This has nothing to do with this issue. Pgcat does not implement clear text authentication for servers or clients.

Answer 3 · 2023-06-19T05:47:56.000Z

Seconding this; we'd switch from pgbouncer to pgcat if there was support for SCRAM passthrough

Answer 4 · 2023-06-19T10:34:10.000Z

That's not great, clear text authentication should not be used generally speaking.

"Cleartext" over authenticated TLS is actually more secure than md5 over authenticated TLS. Because of the way the protocol works the md5 hash becomes the effective password. This hash is then stored plaintext in the database, thus storing the effective password plaintext in the database. Cleartext + authenticated TLS + scram storage does not have this problem.

Answer 5 · 2023-06-22T14:56:00.000Z

Hi,
I'm now evaluating RDS Proxy, PGbouncer, and pgcat.
I see that SCRAM is still not supported. Any ETA to implement it ?
Thanks!!

Answer 6 · 2023-06-22T16:12:53.000Z

Haven't had a chance to implement this yet. A PR is welcome.