On 3/4/22 20:19, Tom Lane wrote: > Jacob Champion <pchamp...@vmware.com> writes: >> $subject keeps coming up in threads. I think my first introduction to >> it was after the TLS injection CVE, and then it came up again in the >> pluggable auth thread. It's hard for me to generalize based on "sound >> bites", but among the proposals I've seen are >> 1. reject plaintext passwords >> 2. reject a configurable list of unacceptable methods >> 3. allow client and server to negotiate a method >> All of them seem to have merit. > Agreed. > >> Here is my take on option 2, then: you get to choose exactly one method >> that the client will accept. If you want to use client certificates, >> use require_auth=cert. If you want to force SCRAM, use >> require_auth=scram-sha-256. If the server asks for something different, >> libpq will fail. If the server tries to get away without asking you for >> authentication, libpq will fail. There is no negotiation. > Seems reasonable, but I bet that for very little more code you could > accept a comma-separated list of allowed methods; libpq already allows > comma-separated lists for some other connection options. That seems > like it'd be a useful increment of flexibility. > >
Just about necessary I guess, since you can specify that a client cert is required in addition to some other auth method, so for such cases you might want something like "required_auth=cert,scram-sha-256"? Or do we need a way of specifying the combination? cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
