public inbox for [email protected]  
help / color / mirror / Atom feed
Libpq: Fail connection attempt if server didn't request a password
2+ messages / 2 participants
[nested] [flat]

* Libpq: Fail connection attempt if server didn't request a password
@ 2021-01-15 17:56 Adrian Vogelsgesang <[email protected]>
  2021-01-15 23:21 ` Re: Libpq: Fail connection attempt if server didn't request a password Tom Lane <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Adrian Vogelsgesang @ 2021-01-15 17:56 UTC (permalink / raw)
  To: [email protected] <[email protected]>

Dear Postgres community,

Today, I learned that in the Postgres protocol, the Postgres server first has to request a password from the client before libpq will send it.
In particular, this also means: if the server doesn’t request a password but simply accepts the connection, libpq will just establish the connection.

Is there some way to let libpq fail the connection attempt in such a case, i.e. if a password was provided but not requested from the server?
Can I, as the client, force the authentication used during creating a connection to be scram-sha-256?
Or can I at least disable MD5 and plain-text authentication on the client-side (which I both consider unsecure)?

You might ask: Why do I care to enforce the authentication mode on the client side? Two reasons:
1. To identify misconfigured server. In our use case, all servers should require a password. By failing hard and early, we can more easily find misconfigured servers
2. To establish some trust on the client-side that I am actually connected to the correct server. In scram-sha-256, the server also has to authenticate to the client. This would be a nice additional level of security. However, this is worthless if the client doesn’t enforce a scram-sha-256 authentication: A malicious server could simply accept the connection without asking for a password or use the MD5 method instead

Cheers,
Adrian


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Libpq: Fail connection attempt if server didn't request a password
  2021-01-15 17:56 Libpq: Fail connection attempt if server didn't request a password Adrian Vogelsgesang <[email protected]>
@ 2021-01-15 23:21 ` Tom Lane <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Tom Lane @ 2021-01-15 23:21 UTC (permalink / raw)
  To: Adrian Vogelsgesang <[email protected]>; +Cc: [email protected] <[email protected]>

Adrian Vogelsgesang <[email protected]> writes:
> Is there some way to let libpq fail the connection attempt in such a case, i.e. if a password was provided but not requested from the server?

Why would that be a useful thing to do?

> 1. To identify misconfigured server. In our use case, all servers should require a password. By failing hard and early, we can more easily find misconfigured servers

I find that argument quite unconvincing.  You can easily look into
pg_hba.conf to see if any lines don't have an auth method you like.
Moreover, that approach scales to requirements that are more complicated
than this specific use-case, and you can be sure that *all* the entries
satisfy your business rule, not just the one you happened to match this
time.

> Can I, as the client, force the authentication used during creating a connection to be scram-sha-256?

There has been discussion of that, but no one has written a patch yet.

			regards, tom lane





^ permalink  raw  reply  [nested|flat] 2+ messages in thread


end of thread, other threads:[~2021-01-15 23:21 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-01-15 17:56 Libpq: Fail connection attempt if server didn't request a password Adrian Vogelsgesang <[email protected]>
2021-01-15 23:21 ` Tom Lane <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox