Home > mailing lists

Re: [PoC] Let libpq reject unexpected authentication requests - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: [PoC] Let libpq reject unexpected authentication requests
Date	June 24, 2022 19:17:08
Msg-id	CAAWbhmitLHUBkUUJmsG2CuVfH=OXTzj6pU1C8XYerYBM2TBfbQ@mail.gmail.com Whole thread Raw
In response to	Re: [PoC] Let libpq reject unexpected authentication requests (Jacob Champion <jchampion@timescale.com>)
Responses	Re: [PoC] Let libpq reject unexpected authentication requests
List	pgsql-hackers

Tree view

On Thu, Jun 23, 2022 at 10:33 AM Jacob Champion <jchampion@timescale.com> wrote:
> - I think NOT is a important case in practice, which is effectively a
> negative OR ("anything but this/these")

Both NOT (via ! negation) and "none" are implemented in v4.

Examples:

# The server must use SCRAM.
require_auth=scram-sha-256
# The server must use SCRAM or Kerberos.
require_auth=scram-sha-256,gss,sspi
# The server may optionally use SCRAM.
require_auth=none,scram-sha-256
# The server must not use any application-level authentication.
require_auth=none
# The server may optionally use authentication, except plaintext
# passwords.
require_auth=!password
# The server may optionally use authentication, except weaker password
# challenges.
require_auth=!password,!md5
# The server must use an authentication method.
require_auth=!none
# The server must use a non-plaintext authentication method.
require_auth=!none,!password

Note that `require_auth=none,scram-sha-256` allows the server to
abandon a SCRAM exchange early, same as it can today. That might be a
bit surprising.

--Jacob

Attachment

pgsql-hackers by date:

From: Andrey Borodin
Date: 24 June 2022, 18:43:18
Subject: Re: pg_upgrade (12->14) fails on aggregate

From: Cary Huang
Date: 24 June 2022, 20:00:38
Subject: Re: Switching XLog source from archive to streaming when primary available

Re: [PoC] Let libpq reject unexpected authentication requests - Mailing list pgsql-hackers

Attachment

Previous

Next