| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
| Cc: | Matheus Alcantara <matheusssilv97(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: SCRAM pass-through authentication for postgres_fdw |
| Date: | 2024-12-04 23:39:00 |
| Message-ID: | CAOYmi+=q0vsu=aBJhg95NAE1d562-rBfV5TuyohSoj_0n6+fjg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 4, 2024 at 3:05 PM Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
> I only see advantages over the
> alternative, which is copying the plaintext password around. In case
> of compromise of the server, only the salt+verifier has to be rotated,
> not the actual user password.
Sure, I'm not saying it's worse than plaintext. But a third
alternative might be actual pass-through SCRAM [1], where either you
expect the two servers to share a certificate fingerprint, or
explicitly disable channel bindings on the second authentication pass
in order to allow the MITM. (Or, throwing spaghetti, maybe even have
the primary server communicate the backend cert so you can verify it
and use it in the binding?)
All that is a metric ton more work and analysis, though.
--Jacob
[1] https://www.postgresql.org/message-id/9129a012-0415-947e-a68e-59d423071525%40timescale.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2024-12-04 23:49:07 | Re: SCRAM pass-through authentication for postgres_fdw |
| Previous Message | Andres Freund | 2024-12-04 23:36:17 | Re: deferred writing of two-phase state files adds fragility |