Re: allow specifying direct role membership in pg_hba.conf - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: allow specifying direct role membership in pg_hba.conf
Date
Msg-id 6a4b702a-912c-28aa-332e-70f4bdea5e05@dunslane.net
Whole thread Raw
In response to Re: allow specifying direct role membership in pg_hba.conf  (Chapman Flack <chap@anastigmatix.net>)
List pgsql-hackers
On 5/18/21 8:05 AM, Chapman Flack wrote:
> On 05/18/21 04:54, Magnus Hagander wrote:
>
>> I mean, if you have
>> hostssl somedatabase someuser 10.0.0.0/24 gss
>> hostssl somedatabase supseruser 10.0.0.0/24 gss tls_min_version=1.3
>>
>> One would reasonably expect that "someuser" can connect with whatever
>> the default version i for tls_min_versino, whereas "superuser" would
>> require a minimum of 1.3. But that's *not* what would happen --
>> superuser would also be allowed to connect with a lower version if
>> that's allowed in the global set.
> Negatory. "superuser" would be allowed to send a StartupMessage
> containing the strings "somedatabase" and "superuser" (and possibly
> some settings of options) over a lower version if that's allowed
> in the global set ... and would then have the connection rejected
> because the negotiated protocol was lower than 1.3, without seeing
> any authentication message or having a chance to send any sensitive
> authentication credentials.
>
> So the risk of any information exposure over a too-low TLS version
> is limited to the name of a database, the name of a user, and possibly
> the settings of some options, and no sensitive authentication data.
>


We are way off $subject. If we want to continue this discussion please
use an appropriate subject.


cheers


andrew


--
Andrew Dunstan
EDB: https://www.enterprisedb.com




pgsql-hackers by date:

Previous
From: Peter Geoghegan
Date:
Subject: Re: PG 14 release notes, first draft
Next
From: Bruce Momjian
Date:
Subject: Re: PG 14 release notes, first draft