From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | Jacob Champion <jchampion(at)timescale(dot)com> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
Date: | 2022-06-23 00:56:18 |
Message-ID: | CAKFQuwabmJHf+68wo0=dd9EE=9H0RbO=S0SJ23Kpnn8peANZoA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jun 9, 2022 at 4:30 PM Jacob Champion <jchampion(at)timescale(dot)com>
wrote:
> On Wed, Jun 8, 2022 at 9:58 PM Michael Paquier <michael(at)paquier(dot)xyz>
> wrote:
>
> > One
> > interesting case comes down to stuff like channel_binding=require
> > require_auth="md5,scram-sha-256", where I think that we should still
> > fail even if the server asks for MD5 and enforce an equivalent of an
> > AND grammar through the parameters. This reasoning limits the
> > dependencies between each parameter and treats the areas where these
> > are checked independently, which is what check_expected_areq() does
> > for channel binding. So that's more robust at the end.
>
> Agreed.
>
>
That just makes me want to not implement OR'ing...
The existing set of individual parameters doesn't work as an API for
try-and-fallback.
Something like would be less problematic when it comes to setting multiple
related options:
--auth-try
"1;sslmode=require;channel_binding=require;method=scram-sha-256;sslcert=/tmp/machine.cert;sslkey=/tmp/machine.key"
--auth-try
"2;sslmode=require;method=cert;sslcert=/tmp/me.cert;sslkey=/tmp/me.key"
--auth-try "3;sslmode=prefer;method=md5"
Absent that radical idea, require_auth probably shouldn't change any
behavior that exists today without having specified require_auth and having
the chosen method happen anyway. So whatever happens today with an md5
password prompt while channel_binding is set to require (not in the mood
right now to figure out how to test that on a compiled against HEAD
instance).
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | shiy.fnst@fujitsu.com | 2022-06-23 01:35:15 | RE: Handle infinite recursion in logical replication setup |
Previous Message | Andres Freund | 2022-06-23 00:01:13 | Re: Missing reference to pgstat_replslot.c in pgstat.c |