Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l0YPH-0007uf-Ai for pgsql-interfaces@arkaria.postgresql.org; Fri, 15 Jan 2021 23:21:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1l0YPF-0002yf-V2 for pgsql-interfaces@arkaria.postgresql.org; Fri, 15 Jan 2021 23:21:25 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l0YPF-0002yO-Pr for pgsql-interfaces@lists.postgresql.org; Fri, 15 Jan 2021 23:21:25 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l0YP9-00043x-7u for pgsql-interfaces@lists.postgresql.org; Fri, 15 Jan 2021 23:21:24 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 10FNLIch1686504; Fri, 15 Jan 2021 18:21:18 -0500 From: Tom Lane To: Adrian Vogelsgesang cc: "pgsql-interfaces@lists.postgresql.org" Subject: Re: Libpq: Fail connection attempt if server didn't request a password In-reply-to: References: Comments: In-reply-to Adrian Vogelsgesang message dated "Fri, 15 Jan 2021 17:56:54 +0000" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1686502.1610752878.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Date: Fri, 15 Jan 2021 18:21:18 -0500 Message-ID: <1686503.1610752878@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk Adrian Vogelsgesang writes: > Is there some way to let libpq fail the connection attempt in such a cas= e, i.e. if a password was provided but not requested from the server? Why would that be a useful thing to do? > 1. To identify misconfigured server. In our use case, all servers should= require a password. By failing hard and early, we can more easily find mi= sconfigured servers I find that argument quite unconvincing. You can easily look into pg_hba.conf to see if any lines don't have an auth method you like. Moreover, that approach scales to requirements that are more complicated than this specific use-case, and you can be sure that *all* the entries satisfy your business rule, not just the one you happened to match this time. > Can I, as the client, force the authentication used during creating a co= nnection to be scram-sha-256? There has been discussion of that, but no one has written a patch yet. regards, tom lane