Re: dblink: Add SCRAM pass-through authentication

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Matheus Alcantara <matheusssilv97@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-18T19:32:35Z
Lists: pgsql-hackers
On 18.03.25 17:53, Jacob Champion wrote:
> On Tue, Mar 18, 2025 at 9:35 AM Peter Eisentraut <peter@eisentraut.org> wrote:
>> So the way I understand this is that the options are:
>>
>> (1) We add a libpq function like PQconnectionUsedScramKeys() in the
>> style of PQconnectionUsedPassword() and call that function during the
>> checks.
>>
>> (2) We make use_scram_passthrough=true imply require_auth=scram-sha-256.
>>    This is essentially a way to get the info from (1) out of libpq using
>> existing facilities.
> 
> Right.
> 
>> But it would preempt certain setups that might
>> otherwise work.  (Which ones?  Are they important?)
> 
> If the backend HBA later changes, to require delegated GSS or a
> different type of password authentication, the user will have to unset
> use_scram_passthrough (or ask the owner of the foreign server to unset
> it). Whereas before they could just add a password to their user
> mapping or enable delegation to move forward immediately.
> 
> I think this is probably not a serious limitation, in practice.

Yeah, I think option (2) is enough for now.  If someone wants to enable 
the kinds of things you describe, they can always come back and 
implement option (1) later.




Commits

  1. dblink: SCRAM authentication pass-through

  2. postgres_fdw: improve security checks