Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPZqn-0000NQ-0E for pgsql-hackers@arkaria.postgresql.org; Thu, 03 Mar 2022 01:01:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nPZqk-00056Y-Pe for pgsql-hackers@arkaria.postgresql.org; Thu, 03 Mar 2022 01:01:46 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPZqk-00056P-8Z for pgsql-hackers@lists.postgresql.org; Thu, 03 Mar 2022 01:01:46 +0000 Received: from mx0a-0050f201.pphosted.com ([148.163.145.86]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPZqh-0005YI-Is for pgsql-hackers@lists.postgresql.org; Thu, 03 Mar 2022 01:01:45 +0000 Received: from pps.filterd (m0203369.ppops.net [127.0.0.1]) by mx0b-0050f201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 222LvJFk011059 for ; Thu, 3 Mar 2022 10:01:41 +0900 Received: from sraihe.sra.co.jp (sraihe.sra.co.jp [221.255.117.38]) by mx0b-0050f201.pphosted.com (PPS) with ESMTP id 3ehhv29q9e-1 for ; Thu, 03 Mar 2022 10:01:41 +0900 Received: from srascb.sra.co.jp (srascb [133.137.8.65]) by sraihe.sra.co.jp (Postfix) with ESMTP id E33382A6865 for ; Thu, 3 Mar 2022 10:01:40 +0900 (JST) Received: from sranhm.sra.co.jp (osspc47 [133.137.174.164]) by srascb.sra.co.jp (Postfix) with ESMTP id D1756580261 for ; Thu, 3 Mar 2022 10:01:40 +0900 (JST) Received: from localhost (sraihb-hub.sra.co.jp [133.137.8.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sranhm.sra.co.jp (Postfix) with ESMTPSA id 857613406AA; Thu, 3 Mar 2022 10:01:40 +0900 (JST) Date: Thu, 03 Mar 2022 10:01:36 +0900 (JST) Message-Id: <20220303.100136.386974761629697042.t-ishii@sranhm.sra.co.jp> To: jkatz@postgresql.org Cc: tgl@sss.pgh.pa.us, pgsql@j-davis.com, smilingsamay@gmail.com, pgsql-hackers@lists.postgresql.org, andres@anarazel.de Subject: Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks From: Tatsuo Ishii In-Reply-To: References: <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> <1905579.1645810764@sss.pgh.pa.us> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Proofpoint-GUID: P8Ax93ctlCaHnhvDQNCBo_QRqgHJ8WEp X-Proofpoint-ORIG-GUID: P8Ax93ctlCaHnhvDQNCBo_QRqgHJ8WEp X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10274 signatures=686787 X-Proofpoint-Spam-Details: rule=spam_low_notspam policy=spam_low score=0 mlxscore=0 priorityscore=1501 adultscore=0 phishscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 clxscore=1034 spamscore=0 mlxlogscore=751 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2203030003 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 2/25/22 12:39 PM, Tom Lane wrote: >> Jeff Davis writes: >>> On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote: >>>> ... and, since we can't readily enforce that the client only sends >>>> those cleartext passwords over suitably-encrypted connections, this >>>> could easily be a net negative for security. Not sure that I think >>>> it's a good idea. >> >>> I don't understand your point. Can't you just use "hostssl" rather >>> than >>> "host"? >> My point is that sending cleartext passwords over the wire is an >> insecure-by-definition protocol that we shouldn't be encouraging >> more use of. > > This is my general feeling as well. We just spent a bunch of effort > adding, refining, and making SCRAM the default method. I think doing > anything that would drive more use of sending plaintext passwords, > even over TLS, is counter to that. There's at least one use case to use plaintext passwords. Pgpool-II accepts plaintext passwords from frontend (from frontend's point of view, it looks as if the frontend speaks with PostgreSQL server which requests the plaintext password authentication), then negotiates with backends regarding authentication method they demand. Suppose we have 2 PostgreSQL clusters and they require md5 auth. They send different password encryption salt and Pgpool-II deal with each server using the salt and password. So Pgpool-II needs plaintext password. Same thing can be said to SCRAM-SHA-256 authentication because it's kind of challenge/response based authentication. Actually it is possible for Pgpool-II to not use plaintext passwords reading from frontend. In this case passwords are stored in a file and Pgpool-II reads passwords from the file. But this is annoying for users because they have to sync the passwords stored in PostgreSQL with the passwords stored in the file. So, dropping plaintext password authentication support from libpq will make it impossible for users to use the former method. Best reagards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp