Re: Add "password_protocol" connection parameter to libpq

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Jeff Davis <pgsql@j-davis.com>
Cc: pgsql-hackers@postgresql.org
Date: 2019-08-09T10:09:22Z
Lists: pgsql-hackers
On Thu, Aug 08, 2019 at 11:16:24PM -0700, Jeff Davis wrote:
> On Fri, 2019-08-09 at 12:00 +0900, Michael Paquier wrote:
> > What about auth_protocol then?  It seems to me that it could be
> > useful
> > to have the restriction on AUTH_REQ_MD5 as well.
> 
> auth_protocol does sound like a good name. I'm not sure what you mean
> regarding MD5 though.

Sorry, I meant krb5 here.

> We already have that concept to a lesser extent, with the md5
> authentication method also permitting scram-sha-256.

That's present to ease upgrades, and once the AUTH_REQ part is
received the client knows what it needs to go through.

> That sounds good, but there are a lot of possibilities and I can't
> quite decide which way to go.
> 
> We could expose it as an SASL option like:
> 
>    saslmode = {disable|prefer|require-scram-sha-256|require-scram-sha-
> 256-plus}

Or we could shape password_protocol so as it takes a list of
protocols, as a white list of authorized things in short.
--
Michael

Commits

  1. Add libpq parameter 'channel_binding'.