On Mon, Dec 21, 2020 at 8:06 PM Stephen Frost <sfr...@snowman.net> wrote: > > Greetings, > > * Magnus Hagander (mag...@hagander.net) wrote: > > On Mon, Dec 21, 2020 at 7:44 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > > > BTW, do we have a client-side setting to insist that passwords not be > > > sent in MD5 hashing either? A person who is paranoid about this would > > > likely want to disable that code path as well. > > > > I don't think we do, and we possibly should. You can require channel > > binding which will require scram which solves the problem, but it does > > so only for scram. > > > > IIRC we've discussed having a parameter that says "allowed > > authentication methods" on the client as well, but I don't believe it > > has been built. But it wouldn't be bad to be able to for example force > > the client to only attempt gssapi auth, regardless of what the server > > asks for, and just fail if it's not there. > > The client is able to require a GSS encrypted connection, and a savy > user will realize that they should 'kinit' (or equivilant) locally and > never provide their password explicitly to the psql (or equivilant) > command, but that's certainly less than ideal.
Sure, but even if you do, then if you connect to a server that has gss support but is configured for password auth, it will perform password auth. > Having a way to explicitly tell libpq what auth methods are acceptable > was discussed previously and does generally seem like a good idea, as > otherwise there's a lot of risk of what are essentially downgrade > attacks. That was my point exactly.. -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
