Re: dblink: Add SCRAM pass-through authentication
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Matheus Alcantara <matheusssilv97@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-07T16:22:12Z
Lists: pgsql-hackers
Attachments
On 06.03.25 22:58, Jacob Champion wrote: > On Thu, Mar 6, 2025 at 12:33 PM Peter Eisentraut <peter@eisentraut.org> wrote: >> AFAICT, in pgfdw_security_check(), if SCRAM has been used for the >> outgoing server connection, then PQconnectionUsedPassword() is true, and >> then this check should fail if no "password" parameter was given. That >> check should be expanded to allow alternatively passing the SCRAM key >> component parameters. > > pgfdw_security_check() is currently not called if SCRAM passthrough is > in use, though: > >> /* >> * Perform post-connection security checks only if scram pass-through >> * is not being used because the password is not necessary. >> */ >> if (!(MyProcPort->has_scram_keys && UseScramPassthrough(server, user))) >> pgfdw_security_check(keywords, values, user, conn); Right. How about the attached? It checks as an alternative to a password whether the SCRAM keys were provided. That should get us back to the same level of checking?
Commits
-
dblink: SCRAM authentication pass-through
- 3642df265d09 18.0 landed
-
postgres_fdw: improve security checks
- 76563f88cfbd 18.0 landed