Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNgaZ-0000l3-KD for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 19:49:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNgaY-00043U-8u for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 19:49:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNgaW-00043L-Cm for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 19:49:14 +0000 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNgaS-0007l8-4h for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 19:49:12 +0000 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 7E43E3202010; Fri, 25 Feb 2022 14:49:04 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Fri, 25 Feb 2022 14:49:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; bh=LYQXRXmTDARaEpDMYBMV5B7q58dbevSKWsqnoc fP+gQ=; b=uQv6MllumO77mZ/eCLgLT7TsypEALqwurKCCEXb+Of/q/+Un9GwYbq frn5d/I6nIVkVhAjZeI0DjvO92MhCFFBGBemDcnVQAzAa6oGFMMbbYf3C11OXhpc Cky0hPGPHLCzJBGfWKiEw1rbv/NcmTuoXc39V0iTYo0/3kBtjrxAxkvZQQSS/83c LiIcyWpH0IlfdDFTMNca3tiMthsbf6vsUdqJySkGmYmTvomm9CXdmSR+/qj0eiq3 DMA/UhrwMDXMLGOnjBVwBVAvfGrusqGOLm5dXztiFx+rWtqNM5+VQKIkTXkusX1Q dOLW4Y2s9j4Gpny9RpegciV3kY77NHUA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=LYQXRXmTDARaEpDMY BMV5B7q58dbevSKWsqnocfP+gQ=; b=UNV2kjifoJObaSuiXxJoCN+4uiQZhts/u jNKjtaUdUeNmDIm6a7pF6tHXHTJYQ54NAMtiJ02Lw4QhxgoGkYoyCnR38hg8yxyh DSgew1A4N7RSYaSe4QsKeQ0QVyutsBYylwhGiDfPLahwGWFzzg8Am06/zj5TxvNF 8M2da8C1hJjOfpCa0L8IbPbk8VjOZUEcfFFwyD6VHKMeKAQindkxO3Off/kEs2HB RWabdAInEfAoTMvJV0MQR5LohLsPI5deOf/TmhIsBOghUExikg+XxOOu1fNz6YRG P+/RDmuW+N2obUtMMwswu1Be1lh6uGXKRJlSwZEDxmesOZpDh9oVg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrleeggddufedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomheptehnughrvghsucfhrhgvuhhnugcuoegrnhgurhgvshesrghn rghrrgiivghlrdguvgeqnecuggftrfgrthhtvghrnhepudekhfekleeugeevteehleffff ejgeelueduleeffeeutdelffeujeffhfeuffdunecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheprghnughrvghssegrnhgrrhgriigvlhdruggv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 25 Feb 2022 14:49:03 -0500 (EST) Date: Fri, 25 Feb 2022 11:49:02 -0800 From: Andres Freund To: Tom Lane Cc: Jeff Davis , samay sharma , pgsql-hackers@lists.postgresql.org Subject: Re: Proposal: Support custom authentication methods using hooks Message-ID: <20220225194902.zeuku7srobumnbsy@alap3.anarazel.de> References: <1737574.1645753674@sss.pgh.pa.us> <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> <1905579.1645810764@sss.pgh.pa.us> <2718414dc095b716e59e126c03af343997d14c7b.camel@j-davis.com> <1980351.1645816239@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1980351.1645816239@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On 2022-02-25 14:10:39 -0500, Tom Lane wrote: > I'm happy to add support for custom auth methods if they can use > a protocol that's safer than cleartext-password. But if that's the > only feasible option, then we're just encouraging people to use > insecure methods. It looks like scram can be used without much trouble. All the necessary infrastructure to implement it without duplication appears to be public. The plugin would need to get a secret from whereever and call CheckSASLAuth(&pg_be_scram_mech, port, shadow_pass, logdetail); or if it needs to do something more complicated than CheckSASLAuth(), it can use AUTH_REQ_SASL{,_FIN CONT} itself. Of course whether it's viable depends on what the custom auth method wants to do. But it's not a restriction of the authentication plugin model. Greetings, Andres Freund