On Fri, Aug 09, 2019 at 09:28:50AM -0400, Stephen Frost wrote: > I don't really care for auth_protocol as that's pretty close to > "auth_method" and that isn't what we're talking about here- this isn't > the user picking the auth method, per se, but rather saying which of the > password-based mechanisms for communicating that the user knows the > password is acceptable. Letting users choose which auth methods are > allowed might also be interesting (as in- we are in a Kerberized > environment and therefore no client should ever be using any auth method > except GSS, could be a reasonable ask) but it's not the same thing. > > What restriction are you suggesting here wrt krb5..?
What I suggested in this previous set of emails is if it would make sense to extend what libpq can restrict at authentication time to not only be password-based authentication methods, but also if we could have a connection parameter allowing us to say "please I want krb5/gss and nothing else". My point is that password-based authentication is only one portion of the problem as what we are looking at is applying a filtering on AUTH_REQ messages that libpq receives from the server (SCRAM with and without channel binding is an exception as that's handled as part of the SASL set of messages), but at a high level we are going to need a filtering of the first authentication message received anyway. But that's also basically what you outline in this previous paragraph of yours. -- Michael
signature.asc
Description: PGP signature
