Re: Proposal: Support custom authentication methods using hooks - Mailing list pgsql-hackers

From Andres Freund
Subject Re: Proposal: Support custom authentication methods using hooks
Date
Msg-id 20220225034727.xpe6v6ikwne7ql32@alap3.anarazel.de
Whole thread Raw
In response to Re: Proposal: Support custom authentication methods using hooks  (Jeff Davis <pgsql@j-davis.com>)
List pgsql-hackers
Hi,

On 2022-02-24 17:02:45 -0800, Jeff Davis wrote:
> On Thu, 2022-02-17 at 11:25 -0800, samay sharma wrote:
> One caveat is that this only works given information available from
> existing authentication methods, because that's all the client
> supports. In practice, it seems to only be useful with plaintext
> password authentication over an SSL connection.

Why is it restricted to that? You could do sasl negotiation as well from what
I can see? And that'd theoretically also allow to negotiate whether the client
supports different ways of doing auth?  Not saying that that's easy, but I
don't think it's a fundamental restriction.

I also can imagine things like using selinux labeling of connections.

We have several useful authentication technologies built ontop of plaintext
exchange. Radius, Ldap, Pam afaics could be implemented as an extension?

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Simon Riggs
Date:
Subject: Re: Buffer Manager and Contention
Next
From: Amit Kapila
Date:
Subject: Re: Optionally automatically disable logical replication subscriptions on error