>>>>> "Vladimir" == Vladimir Soldatov <solardatov@xxxxxxxxx> writes: Vladimir> Hi guys, Vladimir> I am new to PostgreSQL, so sorry for maybe stupid question. I Vladimir> am working on some application implementing Frontend/Backend Vladimir> PG protocol and one of the goals - having only "admin" users Vladimir> credentials (like postgres user) be able to retrieve enough Vladimir> information from PG server (for example, from pg_authid Vladimir> table) to perform authentication for any user created in PG Vladimir> (without any user interaction, so we don't know the user's Vladimir> password). It's an explicit goal of SCRAM to make it impossible to use the server's stored authentication data to actually authenticate from a client (without first breaking the preimage resistance of the hash function). Specifically, the authentication exchange proves to the server that the client knows key_c, but the server only stores H(key_c); the server can validate the client message just by applying the hash function, but the correct value of key_c can't be determined in advance on the server without a successful preimage attack on H(key_c). The right way to allow a privileged user to operate as if they were someone else is to use SET ROLE or SET SESSION AUTHORIZATION rather than actually trying to log in as the other user. -- Andrew (irc:RhodiumToad)
