Re: Letting the client choose the protocol to use during a SASL exchange

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Craig Ringer <craig@2ndquadrant.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Simon Riggs <simon@2ndquadrant.com>, Michael Paquier <michael.paquier@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-04-07T09:08:44Z
Lists: pgsql-hackers
On 04/07/2017 11:57 AM, Craig Ringer wrote:
> On 7 April 2017 at 16:33, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>
>> That list of supported authentication methods would need to be included in
>> the startup message. Unfortunately, there is no way to add options to the
>> startup message, without breaking compatibility with old servers. If there
>> is an option in the startup message that the server doesn't understand, it
>> will treat it as a GUC, and you get an "unrecognized configuration
>> parameter" after authentication.
>
> sasl.mechanisms = 'SCRAM_SHA256'
>
> :p
>
> No, I'm not seriously suggesting we abuse that.

Hmm, that's not such a bad idea, actually. It only goes back to 9.2, 
though. Before that, the prefix needed to be listed in 
custom_variable_classes, or you got an error. 9.2 is the oldest 
supported version, but libpq should still be able to connect to older 
versions.

- Heikki



Commits

  1. Improve the SASL authentication protocol.

  2. Refactor libpq authentication request processing.

  3. Minor cleanup of backend SCRAM code.