Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whVsM-000Gtb-1U for pgsql-hackers@arkaria.postgresql.org; Wed, 08 Jul 2026 17:15:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1whVsK-008NJY-34 for pgsql-hackers@arkaria.postgresql.org; Wed, 08 Jul 2026 17:15:57 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whVsK-008NJQ-26 for pgsql-hackers@lists.postgresql.org; Wed, 08 Jul 2026 17:15:57 +0000 Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1whVsI-00000000JIB-0ouT for pgsql-hackers@lists.postgresql.org; Wed, 08 Jul 2026 17:15:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Reply-To:Content-ID:Content-Description; bh=+LL03zEIRsYii1OqxMPQ9l9kH3NU3g+x62gzh+Wc/Ro=; b=OMW/6OD7tN1yXv9mnv02TZsFhm N9jPRDfswTAqx11wexiKRq6Tm7sEKB9szdQ/t3WNLW9XmNRgllVX/ZJ/YuFAj5Bc7K9kSDnjrFqxG Oe7kPp0gh68Gy5MMZIg5udcg7tvPFaWAS7YZ4xGY8suCOXAx5kmqxg8RmZt/xhmPqfPedtZrrv/CP C7j4mFkJLps/yt8dT5kMLv+zcH+5XfOZ+576ilCzf2yA+16n4gOzMDf6PhCg3t7554Es1j0VmbzWt eELz2NBL+GuDrb38cFatOgJ09lFSyc41pmXaQNTmHdoD68fn2CA4s5Xur/UjH33BkXCktuSIpur0p V1vlXJzA==; Received: from authenticated-user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1whVsC-0036Q6-1I; Wed, 08 Jul 2026 17:15:48 +0000 Date: Wed, 8 Jul 2026 19:15:47 +0200 From: Christoph Berg To: Diego Cc: pgsql-hackers@lists.postgresql.org Subject: Re: libpq: decouple the .pgpass lookup port from the connection port Message-ID: References: <001a6f1d-4adb-42b2-8bf6-44154ed0ab97@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <001a6f1d-4adb-42b2-8bf6-44154ed0ab97@gmail.com> X-Debian-User: myon List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Re: Diego > Why the port wildcard is not enough > ----------------------------------- > > One can write the entry with a wildcard port: > >     db.example.com:*:appdb:alice:secret > and it does match the tunnel. But the wildcard over-matches: a single > local forwarding port (say 54321, or even a fixed local port reused for > several tunnels at different times) ends up matching every server reached > through that port, If you are giving the correct remote name to libpq, the rule won't match several different hosts. If you don't care about that part, you don't need anything extra and could just match on localhost:54321 (or localhost:*). > so the same password line can be applied to different > servers. That is precisely the kind of "password sent to the wrong > server" situation the 2018 host fix was trying to avoid. The wildcard > trades safety for convenience; it is not a substitute for matching the > real server port. Don't use a wildcard, put :54321 in. TBH I don't see why yet more connection parameters are required when the problem is already solved by setting the hostname/hostaddr correctly. (The part that remains when doing that can be avoided by not reusing ports I think. You should do that anyway for general sanity.) >     - pgpassport / passfileport (it only affects the password file) Is this proposal just a giant buildup for a "PG passport" joke? :) Christoph