Re: dblink connection security

Joe Conway <mail@joeconway.com> writes:
> Tom Lane wrote:
>> bool PQconnectionUsedPassword(const PGconn *conn);

> Maybe PQconnectionUsedAuthToken() to mean "data supplied by the client",
> including other potential future mechanisms?

Well, that'd not solve the pre-existing problem of how to tell whether
to request a password.  If we had a fairly clear idea of what other
sorts of auth tokens might be involved, I'd be willing to go that way,
but I distrust our ability to design it today.

>> This idea isn't usable as a back-patch, however, because adding
>> functions to existing libpq versions is too chancy.  What we could
>> possibly do in back versions is, if dblink_connect is called by a
>> non-superuser, first issue the connection attempt without any password
>> and reject if that doesn't fail.

> Why not just require the connect string to contain a password for
> non-superusers?

Doesn't fix the problem, because you don't know whether libpq actually
used the password or not.

> I won't have time to work on this until the end of the coming week --

No hurry, I don't think there are any short-term plans for a release.

            regards, tom lane