Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNfzK-0007rv-H7 for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 19:10:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNfzI-00005g-Vt for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 19:10:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNfzI-00005W-NB for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 19:10:44 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNfzG-0007Ub-8G for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 19:10:44 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 21PJAdfU1980352; Fri, 25 Feb 2022 14:10:39 -0500 From: Tom Lane To: Jeff Davis cc: samay sharma , pgsql-hackers@lists.postgresql.org Subject: Re: Proposal: Support custom authentication methods using hooks In-reply-to: <2718414dc095b716e59e126c03af343997d14c7b.camel@j-davis.com> References: <1737574.1645753674@sss.pgh.pa.us> <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> <1905579.1645810764@sss.pgh.pa.us> <2718414dc095b716e59e126c03af343997d14c7b.camel@j-davis.com> Comments: In-reply-to Jeff Davis message dated "Fri, 25 Feb 2022 10:57:41 -0800" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1980350.1645816239.1@sss.pgh.pa.us> Date: Fri, 25 Feb 2022 14:10:39 -0500 Message-ID: <1980351.1645816239@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Jeff Davis writes: > On Fri, 2022-02-25 at 12:39 -0500, Tom Lane wrote: >> My point is that sending cleartext passwords over the wire is an >> insecure-by-definition protocol that we shouldn't be encouraging >> more use of. > We can require custom auth entries in pg_hba.conf to also specify > local, hostssl or hostgssenc. That's just a band-aid, though. It does nothing for the other reasons not to want cleartext passwords, notably that you might be giving your password to a compromised server. I'm happy to add support for custom auth methods if they can use a protocol that's safer than cleartext-password. But if that's the only feasible option, then we're just encouraging people to use insecure methods. I also have in mind here that there has been discussion of giving libpq a feature to refuse, on the client side, to send cleartext passwords. (I don't recall right now if that's been mentioned publicly or only among the security team, but it's definitely under consideration.) So I think this proposal needs more thought. A server-side hook alone is not a useful improvement IMO; it's closer to being an attractive nuisance. regards, tom lane