Re: dblink: Add SCRAM pass-through authentication

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Matheus Alcantara <matheusssilv97@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-07T16:22:12Z
Lists: pgsql-hackers

Attachments

On 06.03.25 22:58, Jacob Champion wrote:
> On Thu, Mar 6, 2025 at 12:33 PM Peter Eisentraut <peter@eisentraut.org> wrote:
>> AFAICT, in pgfdw_security_check(), if SCRAM has been used for the
>> outgoing server connection, then PQconnectionUsedPassword() is true, and
>> then this check should fail if no "password" parameter was given.  That
>> check should be expanded to allow alternatively passing the SCRAM key
>> component parameters.
> 
> pgfdw_security_check() is currently not called if SCRAM passthrough is
> in use, though:
> 
>>         /*
>>          * Perform post-connection security checks only if scram pass-through
>>          * is not being used because the password is not necessary.
>>          */
>>         if (!(MyProcPort->has_scram_keys && UseScramPassthrough(server, user)))
>>             pgfdw_security_check(keywords, values, user, conn);

Right.  How about the attached?  It checks as an alternative to a 
password whether the SCRAM keys were provided.  That should get us back 
to the same level of checking?

Commits

  1. dblink: SCRAM authentication pass-through

  2. postgres_fdw: improve security checks