From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |
Date: | 2017-09-12 23:03:30 |
Message-ID: | CAB7nPqS1pwjXZRae5mEPhbzmRf1UPu+dzvRwHU6Bb60t7Fy-JQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-jdbc |
On Tue, Sep 12, 2017 at 11:38 PM, Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> It seems we should start by sorting out the mechanism by which the
> client can control what authentication mechanisms it accepts. In your
> patch set you introduce a connection parameter saslname. I think we
> should expand that to non-SASL mechanisms and have it be some kind of
> whitelist or blacklist. It might be reasonable for a client to require
> "gssapi" or "cert" for example or do an exclusion like "!password !md5
> !ldap".
>
> Thoughts?
That looks like a sensible approach to begin with at the end: there
have been complains that a client can be tricked into using MD5 by a
rogue server even if it was willing to use SCRAM. So what about a
parameter called pgauthfilter, which uses a comma-separated list of
keywords. As you say, using an exclamation point to negate an
authentication method is fine for me. For SCRAM, we could just use
"scram-sha-256" as keyword.
Once channel binding is involved though.. This needs to be extended
and this needs careful thoughts:
* "scram-sha-256" means that the version without channel binding is
accepted. "!scram-sha-256" means that scram without channel binding is
refused.
* "scram-sha-256-plus" means that all channel bindings are accepted.
"!scram-sha-256-plus" means that no channel binding are accepted.
After that there is some filtering per channel binding name. Do we
want a separate parameter or just filter with longer names like
"scram-sha-256-plus-tls-unique" and
"scram-sha-256-plus-tls-server-end-point"? The last one gets
particularly long, this does not help users with typos :)
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas Munro | 2017-09-12 23:04:20 | Re: More flexible LDAP auth search filters? |
Previous Message | Bruce Momjian | 2017-09-12 23:00:20 | Re: Clarification in pg10's pgupgrade.html step 10 (upgrading standby servers) |
From | Date | Subject | |
---|---|---|---|
Next Message | Turbo Fredriksson | 2017-09-14 15:58:13 | Multiple databases? |
Previous Message | Peter Eisentraut | 2017-09-12 14:38:12 | Re: [JDBC] Channel binding support for SCRAM-SHA-256 |