From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Jeff Davis <pgsql(at)j-davis(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Add "password_protocol" connection parameter to libpq |
Date: | 2019-08-09 10:09:22 |
Message-ID: | 20190809100922.GI3194@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Aug 08, 2019 at 11:16:24PM -0700, Jeff Davis wrote:
> On Fri, 2019-08-09 at 12:00 +0900, Michael Paquier wrote:
> > What about auth_protocol then? It seems to me that it could be
> > useful
> > to have the restriction on AUTH_REQ_MD5 as well.
>
> auth_protocol does sound like a good name. I'm not sure what you mean
> regarding MD5 though.
Sorry, I meant krb5 here.
> We already have that concept to a lesser extent, with the md5
> authentication method also permitting scram-sha-256.
That's present to ease upgrades, and once the AUTH_REQ part is
received the client knows what it needs to go through.
> That sounds good, but there are a lot of possibilities and I can't
> quite decide which way to go.
>
> We could expose it as an SASL option like:
>
> saslmode = {disable|prefer|require-scram-sha-256|require-scram-sha-
> 256-plus}
Or we could shape password_protocol so as it takes a list of
protocols, as a white list of authorized things in short.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2019-08-09 12:59:26 | Re: SegFault on 9.6.14 |
Previous Message | Amit Kapila | 2019-08-09 08:54:50 | Re: POC: Cleaning up orphaned files using undo logs |