From: | Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> |
---|---|
To: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeff Davis <pgsql(at)j-davis(dot)com>, samay sharma <smilingsamay(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org, Andres Freund <andres(at)anarazel(dot)de> |
Subject: | Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks |
Date: | 2022-03-04 18:49:34 |
Message-ID: | CAGB+Vh6G05ke_N=FNwCUaDfc42RTwvY6LXAw0rV7wnJzz4xZ_Q@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Mar 3, 2022 at 11:50 PM Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> wrote:
>
> >> So, dropping plaintext password authentication support from libpq will
> >> make it impossible for users to use the former method.
> >
> > Yes, just like dropping support for md5 would make it impossible for
> > users to have their passwords be hashed with md5, which is an altogether
> > good thing considering how easy it is to brute-force md5 these days.
>
> I still don't understand why using plaintex password authentication
> over SSL connection is considered insecure. Actually we have been
> stating opposite in the manual:
> https://www.postgresql.org/docs/14/auth-password.html
>
> "If the connection is protected by SSL encryption then password can be
> used safely, though."
If you aren't doing client verification (i.e., cert in pg_hba) and are
not doing verify-full on the client side then a man-in-the-middle
attack on TLS is trivial, and the plaintext password will be
sniffable.
The documentation should be updated to say under no circumstances is this safe.
From | Date | Subject | |
---|---|---|---|
Next Message | Jacob Champion | 2022-03-04 19:13:42 | Re: [PoC] Federated Authn/z with OAUTHBEARER |
Previous Message | Erikjan Rijkers | 2022-03-04 18:13:36 | Re: SQL/JSON: JSON_TABLE |