From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Chapman Flack <chap(at)anastigmatix(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "Bossart, Nathan" <bossartn(at)amazon(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: allow specifying direct role membership in pg_hba.conf |
Date: | 2021-05-18 14:53:45 |
Message-ID: | 6a4b702a-912c-28aa-332e-70f4bdea5e05@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 5/18/21 8:05 AM, Chapman Flack wrote:
> On 05/18/21 04:54, Magnus Hagander wrote:
>
>> I mean, if you have
>> hostssl somedatabase someuser 10.0.0.0/24 gss
>> hostssl somedatabase supseruser 10.0.0.0/24 gss tls_min_version=1.3
>>
>> One would reasonably expect that "someuser" can connect with whatever
>> the default version i for tls_min_versino, whereas "superuser" would
>> require a minimum of 1.3. But that's *not* what would happen --
>> superuser would also be allowed to connect with a lower version if
>> that's allowed in the global set.
> Negatory. "superuser" would be allowed to send a StartupMessage
> containing the strings "somedatabase" and "superuser" (and possibly
> some settings of options) over a lower version if that's allowed
> in the global set ... and would then have the connection rejected
> because the negotiated protocol was lower than 1.3, without seeing
> any authentication message or having a chance to send any sensitive
> authentication credentials.
>
> So the risk of any information exposure over a too-low TLS version
> is limited to the name of a database, the name of a user, and possibly
> the settings of some options, and no sensitive authentication data.
>
We are way off $subject. If we want to continue this discussion please
use an appropriate subject.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2021-05-18 15:08:15 | Re: PG 14 release notes, first draft |
Previous Message | Peter Geoghegan | 2021-05-18 14:51:00 | Re: PG 14 release notes, first draft |