Re: Letting the client choose the protocol to use during a SASL exchange
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Simon Riggs <simon@2ndquadrant.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Michael Paquier <michael.paquier@gmail.com>,
PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-04-07T08:17:43Z
Lists: pgsql-hackers
On 04/06/2017 11:16 PM, Simon Riggs wrote: >> or it >> can just ignore the list and send what it wants anyway, probably leading >> to client disconnect. > It would need to follow one of the requested protocols, but mark the > request as doomed. Otherwise we'd be revealing information. That's > what SCRAM does now. It's not a secret today, what authentication method the server requires. You can't really hide it, anyway, as the client could probe with different lists of supported methods, and see which method the server picks in each case. - Heikki
Commits
-
Improve the SASL authentication protocol.
- 4f3b87ab780b 10.0 landed
-
Refactor libpq authentication request processing.
- 61bf96cab063 10.0 landed
-
Minor cleanup of backend SCRAM code.
- 00707fa58275 10.0 landed