On 5/26/23 6:47 PM, Jacob Champion wrote:
On Thu, May 25, 2023 at 6:10 PM Jonathan S. Katz <jk...@postgresql.org> wrote:
+ To prevent server spoofing from occurring when using + <link linkend="auth-password">scram-sha-256</link> password authentication + over a network, you should ensure you are connecting using SSL.seems to backtrack on the recommendation -- you have to use sslmode=verify-full, not just SSL, to avoid handing a weak(er) hash to an untrusted party.
The above assumes that the reader reviewed the previous paragraph and followed the guidelines there. However, we can make it explicit. Please see attached.
Thanks, Jonathan
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index dbe23db54f..9a9fa7b206 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2014,6 +2014,19 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
CA.
</para>
+ <para>
+ To prevent server spoofing from occurring when using
+ <link linkend="auth-password">scram-sha-256</link> password authentication
+ over a network, you should ensure that you connect to the server using SSL
+ and with one of the anti-spoofing methods described in the previous
+ paragraph. Additionally, the SCRAM implementation in
+ <application>libpq</application> cannot protect the entire authentication
+ exchange, but using the <literal>channel_binding=require</literal>
connection
+ parameter provides a mitigation against server spoofing. An attacker that
+ uses a rogue server to intercept a SCRAM exchange can use offline analysis
to
+ determine the hashed password from the client.
+ </para>
+
<para>
To prevent spoofing with GSSAPI, the server must be configured to accept
only <literal>hostgssenc</literal> connections
OpenPGP_signature
Description: OpenPGP digital signature
