From: | Adrian Vogelsgesang <avogelsgesang(at)tableau(dot)com> |
---|---|
To: | "pgsql-interfaces(at)lists(dot)postgresql(dot)org" <pgsql-interfaces(at)lists(dot)postgresql(dot)org> |
Subject: | Libpq: Fail connection attempt if server didn't request a password |
Date: | 2021-01-15 17:56:54 |
Message-ID: | BY5PR03MB4965271A9AE58B7367D1DB52A3A70@BY5PR03MB4965.namprd03.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-interfaces |
Dear Postgres community,
Today, I learned that in the Postgres protocol, the Postgres server first has to request a password from the client before libpq will send it.
In particular, this also means: if the server doesn’t request a password but simply accepts the connection, libpq will just establish the connection.
Is there some way to let libpq fail the connection attempt in such a case, i.e. if a password was provided but not requested from the server?
Can I, as the client, force the authentication used during creating a connection to be scram-sha-256?
Or can I at least disable MD5 and plain-text authentication on the client-side (which I both consider unsecure)?
You might ask: Why do I care to enforce the authentication mode on the client side? Two reasons:
1. To identify misconfigured server. In our use case, all servers should require a password. By failing hard and early, we can more easily find misconfigured servers
2. To establish some trust on the client-side that I am actually connected to the correct server. In scram-sha-256, the server also has to authenticate to the client. This would be a nice additional level of security. However, this is worthless if the client doesn’t enforce a scram-sha-256 authentication: A malicious server could simply accept the connection without asking for a password or use the MD5 method instead
Cheers,
Adrian
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-01-15 23:21:18 | Re: Libpq: Fail connection attempt if server didn't request a password |
Previous Message | Blum, Kimber | 2020-12-09 21:29:03 | Issue with mysql_fdw |