Re: [PoC] Let libpq reject unexpected authentication requests
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Cc: Aleksander Alekseev <aleksander@timescale.com>,
Michael Paquier <michael@paquier.xyz>,
Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
"David G. Johnston" <david.g.johnston@gmail.com>
Date: 2023-02-28T23:38:21Z
Lists: pgsql-hackers
On 2/16/23 10:57, Jacob Champion wrote: > v14 rebases over the test and solution conflicts from 9244c11afe2. Since we're to the final CF for PG16, here's a rough summary. This patchset provides two related features: 1) the ability for a client to explicitly allow or deny particular methods of in-band authentication (that is, things like password exchange), and 2) the ability to withhold a client certificate from a server that asks for it. Feature 1 was originally proposed to mitigate abuse where a successful MITM attack can then be used to fish for client credentials [1]. It also lets users disable undesirable authentication types (like plaintext) by default, which seems to be a common interest. Both features came up again in the context of proxies such as postgres_fdw, where it's sometimes important that users authenticate using only their credentials and not piggyback on the authority of the proxy host [2]. And another use case for feature 2 just came up independently [3], to fix connections where the default client certificate isn't valid for a particular server. Since this is all client-side, it's compatible with existing servers. Also since it's client-side, it can't prevent connections from being established by an eager server; it can only drop the connection once it sees that its requirement was not met, similar to how we handle target_session_attrs. That means it can't prevent a login trigger from being processed on behalf of a confused proxy. (I think that would require server-side support.) 0001 and 0002 are the core features. 0003 is a more future-looking refactoring of the internals, to make it easier to handle more SASL mechanisms, but it's not required and contains some unexercised code. Thanks, --Jacob [1] https://www.postgresql.org/message-id/fcc3ebeb7f05775b63f3207ed52a54ea5d17fb42.camel%40vmware.com [2] https://www.postgresql.org/message-id/20230123015255.h3jro3yyitlsqykp%40awork3.anarazel.de [3] https://www.postgresql.org/message-id/CAAWbhmh_QqCnRVV8ct3gJULReQjWxLTaTBqs%2BfV7c7FpH0zbew%40mail.gmail.com
Commits
-
libpq: Add sslcertmode option to control client certificates
- 36f40ce2dc66 16.0 landed
-
Rewrite error message related to sslmode in libpq
- bcaa1fafc82f 16.0 landed
-
libpq: Add support for require_auth to control authorized auth methods
- 3a465cc6783f 16.0 landed
-
Run pgindent on libpq's fe-auth.c, fe-auth-scram.c and fe-connect.c
- b6dfee28f2b4 16.0 landed