Re: allow specifying direct role membership in pg_hba.conf

On 5/18/21 8:05 AM, Chapman Flack wrote:
> On 05/18/21 04:54, Magnus Hagander wrote:
>
>> I mean, if you have
>> hostssl somedatabase someuser 10.0.0.0/24 gss
>> hostssl somedatabase supseruser 10.0.0.0/24 gss tls_min_version=1.3
>>
>> One would reasonably expect that "someuser" can connect with whatever
>> the default version i for tls_min_versino, whereas "superuser" would
>> require a minimum of 1.3. But that's *not* what would happen --
>> superuser would also be allowed to connect with a lower version if
>> that's allowed in the global set.
> Negatory. "superuser" would be allowed to send a StartupMessage
> containing the strings "somedatabase" and "superuser" (and possibly
> some settings of options) over a lower version if that's allowed
> in the global set ... and would then have the connection rejected
> because the negotiated protocol was lower than 1.3, without seeing
> any authentication message or having a chance to send any sensitive
> authentication credentials.
>
> So the risk of any information exposure over a too-low TLS version
> is limited to the name of a database, the name of a user, and possibly
> the settings of some options, and no sensitive authentication data.
>

We are way off $subject. If we want to continue this discussion please
use an appropriate subject.

cheers

andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com