Re: BUG #16079: Question Regarding the BUG #16064

On Mon, Dec 21, 2020 at 8:06 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> Greetings,
>
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> > On Mon, Dec 21, 2020 at 7:44 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > BTW, do we have a client-side setting to insist that passwords not be
> > > sent in MD5 hashing either? A person who is paranoid about this would
> > > likely want to disable that code path as well.
> >
> > I don't think we do, and we possibly should. You can require channel
> > binding which will require scram which solves the problem, but it does
> > so only for scram.
> >
> > IIRC we've discussed having a parameter that says "allowed
> > authentication methods" on the client as well, but I don't believe it
> > has been built. But it wouldn't be bad to be able to for example force
> > the client to only attempt gssapi auth, regardless of what the server
> > asks for, and just fail if it's not there.
>
> The client is able to require a GSS encrypted connection, and a savy
> user will realize that they should 'kinit' (or equivilant) locally and
> never provide their password explicitly to the psql (or equivilant)
> command, but that's certainly less than ideal.

Sure, but even if you do, then if you connect to a server that has gss
support but is configured for password auth, it will perform password
auth.

> Having a way to explicitly tell libpq what auth methods are acceptable
> was discussed previously and does generally seem like a good idea, as
> otherwise there's a lot of risk of what are essentially downgrade
> attacks.

That was my point exactly..

--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/