Re: [PoC] Let libpq reject unexpected authentication requests
| От | Jacob Champion |
|---|---|
| Тема | Re: [PoC] Let libpq reject unexpected authentication requests |
| Дата | |
| Msg-id | CAAWbhmizLpLdCVj=6YaH92v+raLnFi=-tD6fppcRMtObLxV9ow@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PoC] Let libpq reject unexpected authentication requests (Jacob Champion <jchampion@timescale.com>) |
| Ответы |
Re: [PoC] Let libpq reject unexpected authentication requests
|
| Список | pgsql-hackers |
v2 rebases over latest, removes the alternate spellings of "password", and implements OR operations with a comma-separated list. For example: - require_auth=cert means that the server must ask for, and the client must provide, a client certificate. - require_auth=password,md5 means that the server must ask for a plaintext password or an MD5 hash. - require_auth=scram-sha-256,gss means that one of SCRAM, Kerberos authentication, or GSS transport encryption must be successfully negotiated. - require_auth=scram-sha-256,cert means that either a SCRAM handshake must be completed, or the server must request a client certificate. It has a potential pitfall in that it allows a partial SCRAM handshake, as long as a certificate is requested and sent. AND and NOT, discussed upthread, are not yet implemented. I tied myself up in knots trying to make AND generic, so I think I"m going to tackle NOT first, instead. The problem with AND is that it only makes sense when one (and only one) of the options is a form of transport authentication. (E.g. password+md5 never makes sense.) And although cert+<something> and gss+<something> could be useful, the latter case is already handled by gssencmode=require, and the gssencmode option is more powerful since you can disable it (or set it to don't-care). I'm not generally happy with how the "cert" option is working. With the other methods, if you don't include a method in the list, then the connection fails if the server tries to negotiate it. But if you don't include the cert method in the list, we don't forbid the server from asking for a cert, because the server always asks for a client certificate via TLS whether it needs one or not. Behaving in the intuitive way here would effectively break all use of TLS. So I think Tom's recommendation that the cert method be handled by an orthogonal option was a good one, and if that works then maybe we don't need an AND syntax at all. Presumably I can just add an option that parallels gssencmode, and then the current don't-care semantics can be explicitly controlled. Skipping AND also means that I don't have to create a syntax that can handle AND and NOT at the same time, which I was dreading. --Jacob
Вложения
В списке pgsql-hackers по дате отправления: