public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jacob Champion <[email protected]>
To: Jelte Fennema-Nio <[email protected]>
Cc: Matheus Alcantara <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: SCRAM pass-through authentication for postgres_fdw
Date: Wed, 4 Dec 2024 15:39:00 -0800
Message-ID: <CAOYmi+=q0vsu=aBJhg95NAE1d562-rBfV5TuyohSoj_0n6+fjg@mail.gmail.com> (raw)
In-Reply-To: <CAGECzQQeq5ze1XBwhb+hbqoOicv5W95GanHA6=x1YG_mnbZyww@mail.gmail.com>
References: <[email protected]>
<CAOYmi+=tX4a_eXU5bhj+z7w0ZkZ-EAQ9YLYSnoGxjmdFw8AHxA@mail.gmail.com>
<CAGECzQQeq5ze1XBwhb+hbqoOicv5W95GanHA6=x1YG_mnbZyww@mail.gmail.com>
On Wed, Dec 4, 2024 at 3:05 PM Jelte Fennema-Nio <[email protected]> wrote:
> I only see advantages over the
> alternative, which is copying the plaintext password around. In case
> of compromise of the server, only the salt+verifier has to be rotated,
> not the actual user password.
Sure, I'm not saying it's worse than plaintext. But a third
alternative might be actual pass-through SCRAM [1], where either you
expect the two servers to share a certificate fingerprint, or
explicitly disable channel bindings on the second authentication pass
in order to allow the MITM. (Or, throwing spaghetti, maybe even have
the primary server communicate the backend cert so you can verify it
and use it in the binding?)
All that is a metric ton more work and analysis, though.
--Jacob
[1] https://www.postgresql.org/message-id/9129a012-0415-947e-a68e-59d423071525%40timescale.com
view thread (8+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: SCRAM pass-through authentication for postgres_fdw
In-Reply-To: <CAOYmi+=q0vsu=aBJhg95NAE1d562-rBfV5TuyohSoj_0n6+fjg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox