Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNfmo-00076j-Md for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 18:57:50 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNfmm-0007Td-JK for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 18:57:48 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNfmm-0007SL-6Y for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 18:57:48 +0000 Received: from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nNfmi-0005cj-NM for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 18:57:47 +0000 Received: by mail-pj1-x1030.google.com with SMTP id m22so5611669pja.0 for ; Fri, 25 Feb 2022 10:57:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=bgXrudxgwpIrDIMvOJFQiYXDjYw9eS1itWbRnLHrv9w=; b=JF755gzkL3BBPFOCxtZhmdy+FcuY//VCHNkuua+Qhm4xOrwKlit+p7KAeZJYbihJYW Q+jmYE7Be4hJ722He9r0zzEo1aNt12PKEPIW4bgQc7FWubL2o2L+5+UcLNSdSQf+M1hN 0tkXXWOYt4D8f9/h9H9DofxoQ9Q68uOA6yuJxI0IHK9GRWnkqT34qPd+p1y08cXjjnHK YP5598x6ozNCpo9cRWX9V2npuD2KRigtv+GWr0E6guYBDAvOIp6t0QRqeUUEBZkV3YUb C83wRtR5iOyb02Tonj2UuCePjo6FwtTMLRO4fHdHjYnvAmW/Gyl2AZzgW/P13DUNRInb jC2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=bgXrudxgwpIrDIMvOJFQiYXDjYw9eS1itWbRnLHrv9w=; b=LI2ZcJG5SpSRIsXnuNNGiTeaEn8+hckjDqJCpDVP0yN/GiqBf4dgkCgWa9NCQo5Lyv ma/iZXvyOFMF2QFh/tpus9AEy0j/Z2YKg8BKK1BjP8fhIqzDV5S6tHk6ONrCl1FsrcCC Qx7BAXmO1CZHwPXZHBrBnxaOpcryzvApwy472stNufqwtV14LryrbEJ5U9+BocmkpV1V O30LEtWbmvsJoe3HibUodXxKJ7Dy1aBddaI8l+nZKvN88NrW8jui9w2GVTDuIeD3jwzd 70ex3042HSKU9oV2f+4Ivr9T1aA7etcM86CdsmqyINhCBhBf5QNMJV+l1XMjs7tEcxOu ZvDw== X-Gm-Message-State: AOAM530fAs6nD6Ys1QHfIOUipLmU+nTfhEhJxSIgIgOBk8xblRVzmOX4 K+jdtRDfgU4tzpmUqlcS5eo5SQ== X-Google-Smtp-Source: ABdhPJxg4SNwkqNoNm/AG03+DcZz8x5mXHAnqC79s6zIK4D/aNM58bcnmHNlpYPLybsSmxzkMxsBzA== X-Received: by 2002:a17:90a:a097:b0:1b9:5f0:6706 with SMTP id r23-20020a17090aa09700b001b905f06706mr4498619pjp.6.1645815463546; Fri, 25 Feb 2022 10:57:43 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id j13-20020a056a00130d00b004f1025a4361sm4026848pfu.202.2022.02.25.10.57.42 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Feb 2022 10:57:42 -0800 (PST) Message-ID: <2718414dc095b716e59e126c03af343997d14c7b.camel@j-davis.com> Subject: Re: Proposal: Support custom authentication methods using hooks From: Jeff Davis To: Tom Lane Cc: samay sharma , pgsql-hackers@lists.postgresql.org Date: Fri, 25 Feb 2022 10:57:41 -0800 In-Reply-To: <1905579.1645810764@sss.pgh.pa.us> References: <1737574.1645753674@sss.pgh.pa.us> <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> <1905579.1645810764@sss.pgh.pa.us> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 2022-02-25 at 12:39 -0500, Tom Lane wrote: > My point is that sending cleartext passwords over the wire is an > insecure-by-definition protocol that we shouldn't be encouraging > more use of. We can require custom auth entries in pg_hba.conf to also specify local, hostssl or hostgssenc. It might annoy people who have a network secured at some other layer, or who have the client on the same machine as the host. We could allow plain "host" if someone specifies "customplain" explicitly. Regards, Jeff Davis