On Thu, Aug 08, 2019 at 03:38:20PM -0700, Jeff Davis wrote: > Libpq doesn't have a way to control which password protocols are used. > For example, the client might expect the server to be using SCRAM, but > it actually ends up using plain password authentication instead.
Thanks for working on this! > I'm not 100% happy with the name "password_protocol", but other names I > could think of seemed likely to cause confusion. What about auth_protocol then? It seems to me that it could be useful to have the restriction on AUTH_REQ_MD5 as well. > Sets the least-secure password protocol allowable when using password > authentication. Options are: "plaintext", "md5", "scram-sha-256", or > "scram-sha-256-plus". This makes it sound like there is a linear hierarchy among all those protocols, which is true in this case, but if the list of supported protocols is extended in the future it may be not. I think that this should have TAP tests in src/test/authentication/ so as we make sure of the semantics. For the channel-binding part, the logic path for the test would be src/test/ssl. +#define DefaultPasswordProtocol "plaintext" I think that we are going to need another default value for that, like "all" to reduce the confusion that SCRAM, MD5 and co are still included in the authorized set in this case. Another thing that was discussed on the topic would be to allow a list of authorized protocols instead. I personally don't think that we need to go necessarily this way, but it could make the integration of things line scram-sha-256,scram-sha-256-plus easier to integrate in application flows. -- Michael
signature.asc
Description: PGP signature
