From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
Date: | 2022-06-24 19:17:08 |
Message-ID: | CAAWbhmitLHUBkUUJmsG2CuVfH=OXTzj6pU1C8XYerYBM2TBfbQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jun 23, 2022 at 10:33 AM Jacob Champion <jchampion(at)timescale(dot)com> wrote:
> - I think NOT is a important case in practice, which is effectively a
> negative OR ("anything but this/these")
Both NOT (via ! negation) and "none" are implemented in v4.
Examples:
# The server must use SCRAM.
require_auth=scram-sha-256
# The server must use SCRAM or Kerberos.
require_auth=scram-sha-256,gss,sspi
# The server may optionally use SCRAM.
require_auth=none,scram-sha-256
# The server must not use any application-level authentication.
require_auth=none
# The server may optionally use authentication, except plaintext
# passwords.
require_auth=!password
# The server may optionally use authentication, except weaker password
# challenges.
require_auth=!password,!md5
# The server must use an authentication method.
require_auth=!none
# The server must use a non-plaintext authentication method.
require_auth=!none,!password
Note that `require_auth=none,scram-sha-256` allows the server to
abandon a SCRAM exchange early, same as it can today. That might be a
bit surprising.
--Jacob
Attachment | Content-Type | Size |
---|---|---|
since-v3.diff.txt | text/plain | 16.8 KB |
v4-0001-libpq-let-client-reject-unexpected-auth-methods.patch | text/x-patch | 33.4 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Cary Huang | 2022-06-24 20:00:38 | Re: Switching XLog source from archive to streaming when primary available |
Previous Message | Andrey Borodin | 2022-06-24 18:43:18 | Re: pg_upgrade (12->14) fails on aggregate |