Re: [PoC] Let libpq reject unexpected authentication requests

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jacob Champion <pchampion(at)vmware(dot)com>
Cc: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PoC] Let libpq reject unexpected authentication requests
Date: 2022-03-05 12:46:55
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 3/4/22 20:19, Tom Lane wrote:
> Jacob Champion <pchampion(at)vmware(dot)com> writes:
>> $subject keeps coming up in threads. I think my first introduction to
>> it was after the TLS injection CVE, and then it came up again in the
>> pluggable auth thread. It's hard for me to generalize based on "sound
>> bites", but among the proposals I've seen are
>> 1. reject plaintext passwords
>> 2. reject a configurable list of unacceptable methods
>> 3. allow client and server to negotiate a method
>> All of them seem to have merit.
> Agreed.
>> Here is my take on option 2, then: you get to choose exactly one method
>> that the client will accept. If you want to use client certificates,
>> use require_auth=cert. If you want to force SCRAM, use
>> require_auth=scram-sha-256. If the server asks for something different,
>> libpq will fail. If the server tries to get away without asking you for
>> authentication, libpq will fail. There is no negotiation.
> Seems reasonable, but I bet that for very little more code you could
> accept a comma-separated list of allowed methods; libpq already allows
> comma-separated lists for some other connection options. That seems
> like it'd be a useful increment of flexibility.

Just about necessary I guess, since you can specify that a client cert
is required in addition to some other auth method, so for such cases you
might want something like "required_auth=cert,scram-sha-256"? Or do we
need a way of specifying the combination?



Andrew Dunstan

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2022-03-05 14:35:23 Re: SQL/JSON: JSON_TABLE
Previous Message Andrew Dunstan 2022-03-05 12:40:18 Re: Regression tests failures on Windows Server 2019 - on master at commit # d816f366b