Re: dblink: Add SCRAM pass-through authentication
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Matheus Alcantara <matheusssilv97@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-18T19:32:35Z
Lists: pgsql-hackers
On 18.03.25 17:53, Jacob Champion wrote: > On Tue, Mar 18, 2025 at 9:35 AM Peter Eisentraut <peter@eisentraut.org> wrote: >> So the way I understand this is that the options are: >> >> (1) We add a libpq function like PQconnectionUsedScramKeys() in the >> style of PQconnectionUsedPassword() and call that function during the >> checks. >> >> (2) We make use_scram_passthrough=true imply require_auth=scram-sha-256. >> This is essentially a way to get the info from (1) out of libpq using >> existing facilities. > > Right. > >> But it would preempt certain setups that might >> otherwise work. (Which ones? Are they important?) > > If the backend HBA later changes, to require delegated GSS or a > different type of password authentication, the user will have to unset > use_scram_passthrough (or ask the owner of the foreign server to unset > it). Whereas before they could just add a password to their user > mapping or enable delegation to move forward immediately. > > I think this is probably not a serious limitation, in practice. Yeah, I think option (2) is enough for now. If someone wants to enable the kinds of things you describe, they can always come back and implement option (1) later.
Commits
-
dblink: SCRAM authentication pass-through
- 3642df265d09 18.0 landed
-
postgres_fdw: improve security checks
- 76563f88cfbd 18.0 landed