Re: [PoC] Let libpq reject unexpected authentication requests

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PoC] Let libpq reject unexpected authentication requests
Date: 2022-03-24 05:17:04
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Wed, 2022-03-23 at 21:31 +0000, Jacob Champion wrote:
> On Mon, 2022-03-07 at 11:44 +0100, Laurenz Albe wrote:
> > I am all for the idea, but you implemented the reverse of proposal 2.
> >
> > Wouldn't it be better to list the *rejected* authentication methods?
> > Then we could have "password" on there by default.
> Specifying the allowed list rather than the denied list tends to have
> better security properties.
> In the case I'm pursuing (the attack vector from the CVE), the end user
> expects certificates to be used. Any other authentication method --
> plaintext, hashed, SCRAM, Kerberos -- is unacceptable;

That makes sense.

> But that doesn't help your case; you want to choose a good default, and
> I agree that's important. Since there are arguments already for
> accepting a OR in the list, and -- if we couldn't find a good
> orthogonal method for certs, like Tom suggested -- an AND, maybe it
> wouldn't be so bad to accept a NOT as well?
>     require_auth=cert                # certs only
>     require_auth=cert+scram-sha-256  # SCRAM wrapped by certs
>     require_auth=cert,scram-sha-256  # SCRAM or certs (or both)
>     require_auth=!password           # anything but plaintext
>     require_auth=!password,!md5      # no plaintext or MD5

Great, if there is a !something syntax, then I have nothing left to wish.
It may not be the most secure way do do it, but it sure is convenient.

Laurenz Albe

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrey V. Lepikhov 2022-03-24 05:21:54 Re: Removing unneeded self joins
Previous Message Kyotaro Horiguchi 2022-03-24 05:17:03 Re: Remove an unnecessary errmsg_plural in dependency.c