On 11.02.25 00:19, Jacob Champion wrote:
These don't seem right to me. SCRAM passthrough should be considered
as_part_ of the connstr/security checks, but I think it should not
_bypass_ those checks. We have to enforce the use of the SCRAM
credentials on the remote for safety, similarly to GSS delegation.
(This might be a good place for `require_auth=scram-sha-256`?)
I've attached a failing test to better illustrate what I mean.
It looks like the postgres_fdw patch that landed also performs a
bypass -- I think that may need an open item to fix? CC'd Peter.
AFAICT, in pgfdw_security_check(), if SCRAM has been used for the
outgoing server connection, then PQconnectionUsedPassword() is true, and
then this check should fail if no "password" parameter was given. That
check should be expanded to allow alternatively passing the SCRAM key
component parameters.
But that would mean the check is too restrictive, while you are
apparently claiming that the check is not restrictive enough?
(Also, this would appear to mean the current SCRAM pass-through code in
postgres_fdw should mostly not work, but the tests work, so I'm confused.)
