"Joshua D. Drake" <jd@commandprompt.com> writes:
> On Fri, 2009-05-22 at 15:24 -0400, Tom Lane wrote:
>> There's no way we could implement that without a protocol change,
>> and it doesn't seem worth it to me. The idea that the client gets
>> to choose seems like a bad idea from a security standpoint anyhow...
> Wouldn't this be solved just by having fall through authentication?
It's still a protocol change --- right now, clients have no reason
to expect that failing on the first auth challenge will lead to
another challenge of a different type, or indeed lead to anything
at all except disconnection. I think libpq, for example, just drops
the connection on its own authority if asked for a password it can't
provide.
regards, tom lane
