Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNeTY-00041z-Aa for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 17:33:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nNeTW-0004Fn-KO for pgsql-hackers@arkaria.postgresql.org; Fri, 25 Feb 2022 17:33:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nNeTW-0004DS-Ai for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 17:33:50 +0000 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nNeTU-0004w6-1U for pgsql-hackers@lists.postgresql.org; Fri, 25 Feb 2022 17:33:49 +0000 Received: by mail-pf1-x42e.google.com with SMTP id z15so5263680pfe.7 for ; Fri, 25 Feb 2022 09:33:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=3fa4Z0TXOFqmcm5eKe8D88V9tECjA2D30pLFSg+3yHQ=; b=iy/grNJjTgaf/STwbpqIExvGzzR+haK/yQCCI0ahNM+JfbfjPw5IrLUU/qiWimBtzL scsgXbTSPLDMJ8b0vqw7u8mRjGM0+vSCqnEKZmY0GQt4ldaH2PZO3YbONl/09+FYhXLz bgJ+phNXNiVY6H4UtyQr21UNpnGQEDoRXp+IwDZICxTftRTc+sNxFR+2axMBnxV8tyUG TI7oKFdZ+eCkVu75SS6qr2VPDkvGPKV7by3fj34AQT8qBdygrRTcnb8m+Ls33JkbmFHB 6b6HMfD85Z20hSh9nCJ7w+k88NcHLMrJLb7NTxjtjHO2UbzXhE53rSf2Gjfua7x9t+tC 0Smg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=3fa4Z0TXOFqmcm5eKe8D88V9tECjA2D30pLFSg+3yHQ=; b=mhz3VBb7uTt4lcNpq5QKUNT5SBdZmCWVv9NXgx6zcsQHbV6bgw3cWlnN1EVaBj9Ar5 QB3655OQUE2jpvjK4jce9Kqkq6CNrR/KO259fY9TQxCLR6OpoiDjHa9RUBEAsbB+gILm uQsi1UzYmHS3PAwaTxFMmFxfbV5yYu46vbVKBXnA9yKyv7LJgbBKm1/BEZQH96416KOU h1RxK56DYOKZEIk+0y1Cy1cKRl29UszZRAxJGUe+A5UxVUvPZqkc/ew6LWtWtPR4bbGd FHJ1W+1zzMTFLgfkynV8hRBgPQyoe9eCUGk2V6xgbvzj+BlDjV/IWzeZbCNejVK8wShz jfSg== X-Gm-Message-State: AOAM532C+9tOhCnlMAj3ys4bUPKtGjDuWMhIlQTpymVE09f4dOo8Xlwu acRfgkivTUI/mKLikaNS9NHWdQ== X-Google-Smtp-Source: ABdhPJwhZT3viyIthTwxBj6l+JtcvzFxS3vqP6Mb+U0WZ7mFPlPiWrf2UaHM73fryTu8iJu8ibcHHQ== X-Received: by 2002:a63:41c5:0:b0:378:3b1e:7ac7 with SMTP id o188-20020a6341c5000000b003783b1e7ac7mr2167352pga.266.1645810426992; Fri, 25 Feb 2022 09:33:46 -0800 (PST) Received: from jdavis.lan (c-73-231-146-4.hsd1.ca.comcast.net. [73.231.146.4]) by smtp.gmail.com with ESMTPSA id q13-20020a056a00088d00b004e1bea9c582sm4055683pfj.43.2022.02.25.09.33.45 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Feb 2022 09:33:46 -0800 (PST) Message-ID: <54dc198b56a87e31e9625405383f04a8c6589b8b.camel@j-davis.com> Subject: Re: Proposal: Support custom authentication methods using hooks From: Jeff Davis To: Tom Lane Cc: samay sharma , pgsql-hackers@lists.postgresql.org Date: Fri, 25 Feb 2022 09:33:45 -0800 In-Reply-To: <1737574.1645753674@sss.pgh.pa.us> References: <1737574.1645753674@sss.pgh.pa.us> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, 2022-02-24 at 20:47 -0500, Tom Lane wrote: > ... and, since we can't readily enforce that the client only sends > those cleartext passwords over suitably-encrypted connections, this > could easily be a net negative for security. Not sure that I think > it's a good idea. I don't understand your point. Can't you just use "hostssl" rather than "host"? Also there are some useful cases that don't really require SSL, like when the client and host are on the same machine, or if you have a network secured some other way. Regards, Jeff Davis