Re: Letting the client choose the protocol to use during a SASL exchange

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Simon Riggs <simon@2ndquadrant.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-04-07T08:17:43Z
Lists: pgsql-hackers
On 04/06/2017 11:16 PM, Simon Riggs wrote:
>> or it
>> can just ignore the list and send what it wants anyway, probably leading
>> to client disconnect.
> It would need to follow one of the requested protocols, but mark the
> request as doomed. Otherwise we'd be revealing information. That's
> what SCRAM does now.

It's not a secret today, what authentication method the server requires. 
You can't really hide it, anyway, as the client could probe with 
different lists of supported methods, and see which method the server 
picks in each case.

- Heikki



Commits

  1. Improve the SASL authentication protocol.

  2. Refactor libpq authentication request processing.

  3. Minor cleanup of backend SCRAM code.