| From: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
|---|---|
| To: | jkatz(at)postgresql(dot)org |
| Cc: | tgl(at)sss(dot)pgh(dot)pa(dot)us, pgsql(at)j-davis(dot)com, smilingsamay(at)gmail(dot)com, pgsql-hackers(at)lists(dot)postgresql(dot)org, andres(at)anarazel(dot)de |
| Subject: | Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks |
| Date: | 2022-03-03 01:01:36 |
| Message-ID: | 20220303.100136.386974761629697042.t-ishii@sranhm.sra.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 2/25/22 12:39 PM, Tom Lane wrote:
>> Jeff Davis <pgsql(at)j-davis(dot)com> writes:
>>> On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote:
>>>> ... and, since we can't readily enforce that the client only sends
>>>> those cleartext passwords over suitably-encrypted connections, this
>>>> could easily be a net negative for security. Not sure that I think
>>>> it's a good idea.
>>
>>> I don't understand your point. Can't you just use "hostssl" rather
>>> than
>>> "host"?
>> My point is that sending cleartext passwords over the wire is an
>> insecure-by-definition protocol that we shouldn't be encouraging
>> more use of.
>
> This is my general feeling as well. We just spent a bunch of effort
> adding, refining, and making SCRAM the default method. I think doing
> anything that would drive more use of sending plaintext passwords,
> even over TLS, is counter to that.
There's at least one use case to use plaintext passwords. Pgpool-II
accepts plaintext passwords from frontend (from frontend's point of
view, it looks as if the frontend speaks with PostgreSQL server which
requests the plaintext password authentication), then negotiates with
backends regarding authentication method they demand. Suppose we have
2 PostgreSQL clusters and they require md5 auth. They send different
password encryption salt and Pgpool-II deal with each server using the
salt and password. So Pgpool-II needs plaintext password. Same thing
can be said to SCRAM-SHA-256 authentication because it's kind of
challenge/response based authentication.
Actually it is possible for Pgpool-II to not use plaintext passwords
reading from frontend. In this case passwords are stored in a file and
Pgpool-II reads passwords from the file. But this is annoying for
users because they have to sync the passwords stored in PostgreSQL
with the passwords stored in the file.
So, dropping plaintext password authentication support from libpq will
make it impossible for users to use the former method.
Best reagards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Melanie Plageman | 2022-03-03 01:07:14 | Why do spgbuildempty(), btbuildempty(), and blbuildempty() use smgrwrite()? |
| Previous Message | Peter Smith | 2022-03-03 00:56:27 | Re: PG DOCS - logical replication filtering |