Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks - Mailing list pgsql-hackers

From Tatsuo Ishii
Subject Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks
Date
Msg-id 20220305.080337.381345932292253507.t-ishii@sranhm.sra.co.jp
Whole thread Raw
In response to Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks  (Joshua Brindle <joshua.brindle@crunchydata.com>)
Responses Re: Proposal: Support custom authentication methods using hooks,Re: Proposal: Support custom authentication methods using hooks
List pgsql-hackers
>> I still don't understand why using plaintex password authentication
>> over SSL connection is considered insecure. Actually we have been
>> stating opposite in the manual:
>> https://www.postgresql.org/docs/14/auth-password.html
>>
>> "If the connection is protected by SSL encryption then password can be
>> used safely, though."
> 
> If you aren't doing client verification (i.e., cert in pg_hba) and are
> not doing verify-full on the client side then a man-in-the-middle
> attack on TLS is trivial, and the plaintext password will be
> sniffable.

So the plaintext password is safe if used with hostssl + verify-full
(server side) and sslmode = verify-full (client side), right?

Best reagards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: Regression tests failures on Windows Server 2019 - on master at commit # d816f366b
Next
From: Thomas Munro
Date:
Subject: Re: Regression tests failures on Windows Server 2019 - on master at commit # d816f366b