From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
Cc: | Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Simon Riggs <simon(at)2ndquadrant(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Letting the client choose the protocol to use during a SASL exchange |
Date: | 2017-04-14 02:42:52 |
Message-ID: | CAB7nPqQnf=3KOOYDigicQhcnz8y+YaLahHQUEiyzNU5J8aYYRw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Apr 14, 2017 at 1:37 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> On 04/13/2017 05:53 AM, Michael Paquier wrote:
>> + * Parse the list of SASL authentication mechanisms in the
>> + * AuthenticationSASL message, and select the best mechanism that we
>> + * support. (Only SCRAM-SHA-256 is supported at the moment.)
>> */
>> - if (strcmp(auth_mechanism, SCRAM_SHA256_NAME) == 0)
>> + for (;;)
>> Just an idea here: being able to enforce the selection with an
>> environment variable (useful for testing as well in the future).
>
> Hmm. It wouldn't do much, as long as SCRAM-SHA-256 is the only supported
> mechanism. In general, there is no way to tell libpq to e.g. not do plain
> password authentication, which is more pressing than choosing a particular
> SASL mechanism. So I think we should have libpq options to control that, but
> it's a bigger feature than just adding a debug environment variable here.
Of course, my last sentence implied that this may be useful once more
than 1 mechanism is added. This definitely cannot be a connection
parameter. Your last sentence makes me guess that we agree on that.
But those are thoughts for later..
> Thanks for the review! I've pushed these patches, after a bunch of little
> cleanups here and there, and fixing a few garden-variety bugs in the
> GSS/SSPI changes.
Committed patches look good to me after a second lookup. Thanks!
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2017-04-14 02:48:48 | Re: Re: [COMMITTERS] pgsql: Add COMMENT and SECURITY LABEL support for publications and subs |
Previous Message | Petr Jelinek | 2017-04-14 01:57:10 | Re: Logical replication and inheritance |