Closed rolandcrosby closed 2 years ago
SCRAM-SHA-256 pushes the expensive hashing step to happen at the time that a password is set, meaning authentication events can be faster and cheaper.
It also pushes hashing to the client on every authentication attempt, though a clients can cache the outcome of this work. The client hashing makes the protocol more resistant to offline attacks; for each password the attacker wants to try, they'll need to hash again.
cc @bdarnell @aaron-crl -- I have extended/populated the top issue description with the technical details about the work to be done.
RFC here: #51599
cc @thtruo for tracking.
I've been paged two times in the last month or so due to excess CPU usage from password hashing causing node liveness problems & thus large scale issues with a CC cluster.
Thanks for the callout Josh. This is something the Security team is planning to take on, as part of the effort to lift the current authentication code into an independent package, though we don't have a specific date in mind yet.
IIRC once we have it, all pw authn should happen with SCRAM. cc @aaron-crl to shed more light
cc @piyush-singh for awareness
Understood! Can you give me a sense of how big of an engineering lift it is?
Is it possible to backport this change? I kinda doubt it but why not ask.
If a user creates a username with password before this change is rolled out, are they stuck without SCRAM for ever? Or does a migration get run?
There are some non-trivial changes to the authentication protocol that go together with using SCRAM, so it's a substantial amount of work and wouldn't normally qualify for a backport. (one reason I'd like to see us have CC run its own forks instead of being held back by mainline releases and their backport policies)
Once we have it, will all password authentication happen via this method?
It's possible that some client drivers don't support SCRAM (or versions that support it aren't widely rolled out yet - it was a relatively recent addition and these things can move slowly). In that case we'd have to decide whether we want to cut off those clients or continue to allow non-SCRAM logins (for CC without network-level access controls, I think we'd want to go SCRAM-only, but on-prem customers might choose differently).
If a user creates a username with password before this change is rolled out, are they stuck without SCRAM for ever? Or does a migration get run?
In any case, we'd need to continue supporting non-SCRAM logins at least for a transition period. We can't do a SCRAM login when the database contains a bcrypted password, and we can't convert directly from bcrypt to SCRAM. The best migration we could do would be to convert passwords to the SCRAM format the next time they log in. That would solve the "accidental DoS" problem of a legitimate user logging in repeatedly, but would still allow password-guessing attacks to consume a lot of CPU.
NB: an end-user reports (in #65117) that the Crystal pg driver does not enable cleartext auth by default, and thus without SCRAM they cannot use CockroachCloud out of the box.
Linked to:
Summary
Add the SCRAM-SHA-256 auth method:
system.users
(distinguish pw encoding types using a prefix; our currentbcrypt
-based encoding always starts with$
, and pg's implementation has a standard encoding that starts withscran-sha-256:
and 5 fields)password_encryption
session setting: https://www.postgresql.org/docs/current/runtime-config-connection.htmlProtocol summary
Example SCRAM client-server exchange as per RFC 7677:
Summary of the protocol as per RFC 5802:
What gets stored in the database:
Special note about SCRAM for SQL
postgres source code, function
read_client_first_message
inauth-scram.c
Special note about leaking information
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=818fd4a67d610991757b610755e3065fb99d80a5#patch11
References
Reference docs:
Example implementations:
Motivation
Postgres added support for SCRAM-SHA-256 password encryption in version 10. This is a more modern password authentication mechanism than the old "MD5" password authentication mechanism that pg was previously using.
Note that CockroachDB doesn't even support MD5 authentication, and instead requires the client to present the password in cleartext. This is because CRDB uses a non-standard encoding of the password hash in-DB using bcrypt.
The benefit of SCRAM is twofold:
it increases overall server security, by ensuring that the server never sees cleartext passwords even during authn verification.
it pushes the CPU cost of password checks to the client-side.
Note that implementing pg's native MD5 authentication would achieve the same goals, but MD5 authn is vulnerable to various attack vectors where SCRAM is not.
Epic CRDB-5349