Re: Letting the client choose the protocol to use during a SASL exchange

On Fri, Apr 14, 2017 at 1:37 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> On 04/13/2017 05:53 AM, Michael Paquier wrote:
>> + * Parse the list of SASL authentication mechanisms in the
>> + * AuthenticationSASL message, and select the best mechanism that we
>> + * support. (Only SCRAM-SHA-256 is supported at the moment.)
>> */
>> - if (strcmp(auth_mechanism, SCRAM_SHA256_NAME) == 0)
>> + for (;;)
>> Just an idea here: being able to enforce the selection with an
>> environment variable (useful for testing as well in the future).
>
> Hmm. It wouldn't do much, as long as SCRAM-SHA-256 is the only supported
> mechanism. In general, there is no way to tell libpq to e.g. not do plain
> password authentication, which is more pressing than choosing a particular
> SASL mechanism. So I think we should have libpq options to control that, but
> it's a bigger feature than just adding a debug environment variable here.

Of course, my last sentence implied that this may be useful once more
than 1 mechanism is added. This definitely cannot be a connection
parameter. Your last sentence makes me guess that we agree on that.
But those are thoughts for later..

> Thanks for the review! I've pushed these patches, after a bunch of little
> cleanups here and there, and fixing a few garden-variety bugs in the
> GSS/SSPI changes.

Committed patches look good to me after a second lookup. Thanks!
--
Michael