Quick Links

Re: BUG #16079: Question Regarding the BUG #16064

From:	Jeff Davis <pgsql(at)j-davis(dot)com>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>
Cc:	Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, k(dot)yudhveer(at)gmail(dot)com, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: BUG #16079: Question Regarding the BUG #16064
Date:	2021-06-03 18:02:56
Message-ID:	2c52f6c582e2fbcea77caa0ae8d83af261522be7.camel@j-davis.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs pgsql-hackers

On Mon, 2020-12-21 at 13:44 -0500, Tom Lane wrote:
> Hm. I'm less concerned about that scenario than about somebody
> snooping
> the on-the-wire traffic. If we're going to invent a connection
> setting
> for this, I'd say that in addition to "ok to send cleartext password"
> and "never ok to send cleartext password", there should be a setting
> for
> "send cleartext password only if connection is encrypted". Possibly
> that should even be the default.

There was a fair amount of related discussion here:

https://www.postgresql.org/message-id/227015d8417f2b4fef03f8966dbfa5cbcc4f44da.camel%40j-davis.com

My feeling after all of that discussion is that the next step would be
to move to some kind of negotiation between client and server about
which methods are mutually acceptable. Right now, the protocol is
structured around the server driving the authentication process, and
the most the client can do is abort.

> BTW, do we have a client-side setting to insist that passwords not be
> sent in MD5 hashing either? A person who is paranoid about this
> would
> likely want to disable that code path as well.

channel_binding=require is one way to do it, but it also requires ssl.

Regards,
Jeff Davis

In response to

Re: BUG #16079: Question Regarding the BUG #16064 at 2020-12-21 18:44:02 from Tom Lane

Responses

Re: BUG #16079: Question Regarding the BUG #16064 at 2021-06-04 01:09:56 from Michael Paquier

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Adrian Klaver	2021-06-03 21:37:16	Re: BUG #17046: Upgrade postgres 11 to 13 version
Previous Message	Tom Lane	2021-06-03 14:01:54	Re: windows psql connection error

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Tomas Vondra	2021-06-03 18:11:48	Re: PATCH: generate fractional cheapest paths in generate_orderedappend_path
Previous Message	Tom Lane	2021-06-03 17:52:41	Re: SSL SNI