| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Jeff Davis <pgsql(at)j-davis(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, k(dot)yudhveer(at)gmail(dot)com, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: BUG #16079: Question Regarding the BUG #16064 |
| Date: | 2021-06-04 01:09:56 |
| Message-ID: | YLl9ZPihn+kI/oHk@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
On Thu, Jun 03, 2021 at 11:02:56AM -0700, Jeff Davis wrote:
> My feeling after all of that discussion is that the next step would be
> to move to some kind of negotiation between client and server about
> which methods are mutually acceptable. Right now, the protocol is
> structured around the server driving the authentication process, and
> the most the client can do is abort.
FWIW, this sounds very similar to what SASL solves when we try to
select a mechanism name, plus some filtering applied in the backend
with some HBA rule or some filtering in the frontend with a connection
parameter doing the restriction, like channel_binding here.
Introducing a new libpq parameter that allows the user to select which
authentication methods are allowed has been discussed in the past, I
remember vaguely writing/reviewing a patch doing that actually..
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2021-06-04 05:07:27 | BUG #17047: 502 ERROR The request could not be satisfied |
| Previous Message | Michael Paquier | 2021-06-04 00:55:59 | Re: windows psql connection error |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-06-04 01:16:14 | Re: checking return value from unlink in write_relcache_init_file |
| Previous Message | Alvaro Herrera | 2021-06-04 00:55:57 | Re: checking return value from unlink in write_relcache_init_file |