On Mon, 2020-12-21 at 13:44 -0500, Tom Lane wrote: > Hm. I'm less concerned about that scenario than about somebody > snooping > the on-the-wire traffic. If we're going to invent a connection > setting > for this, I'd say that in addition to "ok to send cleartext password" > and "never ok to send cleartext password", there should be a setting > for > "send cleartext password only if connection is encrypted". Possibly > that should even be the default.
There was a fair amount of related discussion here: https://www.postgresql.org/message-id/227015d8417f2b4fef03f8966dbfa5cbcc4f44da.camel%40j-davis.com My feeling after all of that discussion is that the next step would be to move to some kind of negotiation between client and server about which methods are mutually acceptable. Right now, the protocol is structured around the server driving the authentication process, and the most the client can do is abort. > BTW, do we have a client-side setting to insist that passwords not be > sent in MD5 hashing either? A person who is paranoid about this > would > likely want to disable that code path as well. channel_binding=require is one way to do it, but it also requires ssl. Regards, Jeff Davis
