From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Aleksander Alekseev <aleksander(at)timescale(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
Date: | 2023-03-14 19:14:40 |
Message-ID: | CAAWbhmiotN3k6q5Q5SnPe=5P1V8Vq=XKkuZQf5UprPhNiUAv_A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Mar 13, 2023 at 10:39 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> 0001 was looking fine enough seen from here, so applied it after
> tweaking a few comments. That's enough to cover most of the needs of
> this thread.
Thank you very much!
> 0002 looks pretty simple as well, I think that's worth a look for this
> CF.
Cool. v17 just rebases the set over HEAD, then, for cfbot.
> I am not sure about 0003, to be honest, as I am wondering if
> there could be a better solution than tying more the mechanism names
> with the expected AUTH_REQ_* values..
Yeah, I'm not particularly excited about the approach I took. It'd be
easier if we had a second SASL method to verify the implementation...
I'd also proposed just adding an Assert, as a third option, to guide
the eventual SASL implementer back to this conversation?
--Jacob
Attachment | Content-Type | Size |
---|---|---|
v17-0002-require_auth-decouple-SASL-and-SCRAM.patch | text/x-patch | 8.1 KB |
v17-0001-Add-sslcertmode-option-for-client-certificates.patch | text/x-patch | 17.0 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Jacob Champion | 2023-03-14 19:20:21 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Previous Message | Dmitry Dolgov | 2023-03-14 19:04:32 | Re: pg_stat_statements and "IN" conditions |