Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nOmtY-0004Xx-18 for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Feb 2022 20:45:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nOmtW-0002sF-TV for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Feb 2022 20:45:22 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nOmtW-0002s6-Jk for pgsql-hackers@lists.postgresql.org; Mon, 28 Feb 2022 20:45:22 +0000 Received: from tamriel.snowman.net ([70.109.60.50]) by makus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nOmtT-0006FF-Vc for pgsql-hackers@lists.postgresql.org; Mon, 28 Feb 2022 20:45:21 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 403D55F7A2; Mon, 28 Feb 2022 15:45:19 -0500 (EST) Date: Mon, 28 Feb 2022 15:45:19 -0500 From: Stephen Frost To: "Jonathan S. Katz" Cc: Tom Lane , Jeff Davis , samay sharma , pgsql-hackers@lists.postgresql.org, Andres Freund Subject: Re: Proposal: Support custom authentication methods using hooks Message-ID: <20220228204519.GL10577@tamriel.snowman.net> References: <1737574.1645753674@sss.pgh.pa.us> <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> <1905579.1645810764@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HUNbJr+8XKUS5qN7" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --HUNbJr+8XKUS5qN7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Jonathan S. Katz (jkatz@postgresql.org) wrote: > On 2/25/22 12:39 PM, Tom Lane wrote: > >Jeff Davis writes: > >>On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote: > >>>... and, since we can't readily enforce that the client only sends > >>>those cleartext passwords over suitably-encrypted connections, this > >>>could easily be a net negative for security. Not sure that I think > >>>it's a good idea. > > > >>I don't understand your point. Can't you just use "hostssl" rather than > >>"host"? > > > >My point is that sending cleartext passwords over the wire is an > >insecure-by-definition protocol that we shouldn't be encouraging > >more use of. >=20 > This is my general feeling as well. We just spent a bunch of effort addin= g, > refining, and making SCRAM the default method. I think doing anything that > would drive more use of sending plaintext passwords, even over TLS, is > counter to that. Agreed. > I do understand arguments for (e.g. systems that require checking password > complexity), but I wonder if it's better for us to delegate that to an > external auth system. Regardless, I can get behind Andres' point to "check > Port->ssl_in_use before sendAuthRequest(AUTH_REQ_PASSWORD)". Password complexity is only needed to be checked at the time of password change though, which is not on every login, and should be after a confirmed mutual authentication between the client and the server. That's a very different situation. > I'm generally in favor of being able to support additional authentication > methods, the first one coming to mind is supporting OIDC. Having a plugga= ble > auth infrastructure could possibly make such efforts easier. I'm definite= ly > intrigued. I'm not thrilled with the idea, for my part. Thanks, Stephen --HUNbJr+8XKUS5qN7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJiHTReAAoJEO1sijiDR2RVKqQP/i1b9SMiCoTDuXkyLnYVG9tG runVRpQc3SFHx6zqBD8w2yCZifPA/Yp08PUDT7QO2ztEURcQN8y7V9tsjVAqqEpC Bv4cexBR3HVfq8vPj5tNPfPejS8WLu/loVQNUoMIZ3w41VBjiWYdxTrBoL11sJyU Fep1oUT4R9USsNxnWrWRgMYIEj4iBD1vuLFqexEJKQYxQPd2dnZRr6No10gaoGDP shGUDiWF0O3R/NfjVlCZosiseNbLeOXKbEOB9AKfECCfwBeKYQvXLehSIstDVDv/ qz/UCF13OXngPvDRQSX1iUxLoKsMnZm6JOrPFxzo6RNhNhSKcMWFJqK3IBONw4tE Is/DI9HOq6rxDPysKAYmVybafcBIKZVTEQ/jikaLiV1/eQ6Op+J4sM8Or/QgBNYk 2vW1ve8v8tfJnrfe/CNr7zvhIISIYKS9WsTwh0DNOZJKJv8YkjWlPEo6mWJaXYQH 51gv/fXiuOEezxHDBGH/3M7EpYFHIaVLeUIiBpaB7VSQisbXq23V2qjoup2mFnDk 70GXGaByqCS1wag1edhOw8VhDHI5w4LY+RN8prKb73hWyiCl8X3GYLMPc0A+bhbV ONq3UXtb4P1iUHHX6Br6apVCSkBokbP4GqlkBkUn1o0CAN7iKwx/gTKnO0X0SvH+ YgZ+FvsdlO1l36wj4sjN =3Xq6 -----END PGP SIGNATURE----- --HUNbJr+8XKUS5qN7--