Re: [PoC] Let libpq reject unexpected authentication requests
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jacob Champion <pchampion@vmware.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-03-05T01:19:26Z
Lists: pgsql-hackers
Jacob Champion <pchampion@vmware.com> writes: > $subject keeps coming up in threads. I think my first introduction to > it was after the TLS injection CVE, and then it came up again in the > pluggable auth thread. It's hard for me to generalize based on "sound > bites", but among the proposals I've seen are > 1. reject plaintext passwords > 2. reject a configurable list of unacceptable methods > 3. allow client and server to negotiate a method > All of them seem to have merit. Agreed. > Here is my take on option 2, then: you get to choose exactly one method > that the client will accept. If you want to use client certificates, > use require_auth=cert. If you want to force SCRAM, use > require_auth=scram-sha-256. If the server asks for something different, > libpq will fail. If the server tries to get away without asking you for > authentication, libpq will fail. There is no negotiation. Seems reasonable, but I bet that for very little more code you could accept a comma-separated list of allowed methods; libpq already allows comma-separated lists for some other connection options. That seems like it'd be a useful increment of flexibility. regards, tom lane
Commits
-
libpq: Add sslcertmode option to control client certificates
- 36f40ce2dc66 16.0 landed
-
Rewrite error message related to sslmode in libpq
- bcaa1fafc82f 16.0 landed
-
libpq: Add support for require_auth to control authorized auth methods
- 3a465cc6783f 16.0 landed
-
Run pgindent on libpq's fe-auth.c, fe-auth-scram.c and fe-connect.c
- b6dfee28f2b4 16.0 landed