On Thu, Aug 08, 2019 at 11:16:24PM -0700, Jeff Davis wrote: > On Fri, 2019-08-09 at 12:00 +0900, Michael Paquier wrote: > > What about auth_protocol then? It seems to me that it could be > > useful > > to have the restriction on AUTH_REQ_MD5 as well. > > auth_protocol does sound like a good name. I'm not sure what you mean > regarding MD5 though.
Sorry, I meant krb5 here. > We already have that concept to a lesser extent, with the md5 > authentication method also permitting scram-sha-256. That's present to ease upgrades, and once the AUTH_REQ part is received the client knows what it needs to go through. > That sounds good, but there are a lot of possibilities and I can't > quite decide which way to go. > > We could expose it as an SASL option like: > > saslmode = {disable|prefer|require-scram-sha-256|require-scram-sha- > 256-plus} Or we could shape password_protocol so as it takes a list of protocols, as a white list of authorized things in short. -- Michael
signature.asc
Description: PGP signature