Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNeaS-0004Hd-Kv for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 17:41:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNeaR-0001qC-Ff for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 17:40:59 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNeaQ-0001pw-9R for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 17:40:59 +0000 Received: from out4-smtp.messagingengine.com ([66.111.4.28]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNeaN-00052Z-ND for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 17:40:57 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id E82A55C0103; Fri, 25 Feb 2022 12:40:54 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 25 Feb 2022 12:40:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; bh=rwWY8DofbkP3SZY25OLJGNXWg5zYZDWBB7/vCk 3Q1hk=; b=bu8Hskg+Zl7889MJ+20vG7IGUzzZEfZb/LXjMRRuFDLTuJIu7gnkEY 6wjX10nrcw4K96bR76sugGfRZ5kitBYRJx2M93mODRuSTrqOaUEsi6Y+6FbsT66u ioeW23roqhuVSj0CFlXSvVtPm3hk/Yf7iTYdn72U+8ZCm43GPia8e2bJvoqle1Ok +lxt4LDqiI4pF489QfJhN+PyDBC+tfPw74v1iTpiLKP4aeioCNC2hNJ258C61uzy 8Cf4NeTegahg9DbAtRqFrMwfNvRDczck/IGZJvCnDHY/7TYpn5fu8o8uzx7zaMQJ C5b2F6DcT94l7BSBUJ2yCVtYkzZNXsuw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rwWY8DofbkP3SZY25 OLJGNXWg5zYZDWBB7/vCk3Q1hk=; b=TcQXmjyAcK/LgBTKGZrUq5K3IQ8D+ipED Ym1KssCmECIYLlo3VGjq1htEVu0AIwpGiYrQKNkc0eQST+PJZ6LIbwxLGxb0+zC5 HDpY2Qaim9MygKLjaGJlHd0UYqSE4yMB8FahHOBZGjgnnoSxPuvrxcu98mw7jMr2 4wbcaVOYapAXXUaKr6tJJE2iSknmGYBUT2gcbptEUwAou3/XZ/ybZLKejEX4QEqL RV9LJVtdhK055SBz657kU27ikgxA2uSim9k5a6zWNXzONM7cn1RtYou2qHfvjfq9 mM1aj6gYcpwt8f5Z84W00dNloH94mh8FJM7SJPuh/pQ6eSPkl+tAQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrleeggddutdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomheptehnughrvghsucfhrhgvuhhnugcuoegrnhgurhgvshesrghn rghrrgiivghlrdguvgeqnecuggftrfgrthhtvghrnhepudekhfekleeugeevteehleffff ejgeelueduleeffeeutdelffeujeffhfeuffdunecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheprghnughrvghssegrnhgrrhgriigvlhdruggv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 25 Feb 2022 12:40:54 -0500 (EST) Date: Fri, 25 Feb 2022 09:40:53 -0800 From: Andres Freund To: Jeff Davis Cc: Tom Lane , samay sharma , pgsql-hackers@lists.postgresql.org Subject: Re: Proposal: Support custom authentication methods using hooks Message-ID: <20220225174053.grc7q2cqlo5t2vet@alap3.anarazel.de> References: <1737574.1645753674@sss.pgh.pa.us> <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On 2022-02-25 09:33:45 -0800, Jeff Davis wrote: > On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote: > > ... and, since we can't readily enforce that the client only sends > > those cleartext passwords over suitably-encrypted connections, this > > could easily be a net negative for security. Not sure that I think > > it's a good idea. > > I don't understand your point. Can't you just use "hostssl" rather than > "host"? And the extension could check Port->ssl_in_use before sendAuthRequest(AUTH_REQ_PASSWORD) if it wanted to restrict it. Greetings, Andres Freund