On Tue, May 28, 2013 at 2:32 PM, Craig Ringer <craig@2ndquadrant.com> wrote:
> On 05/11/2013 03:25 AM, Robert Haas wrote:
>> Not really. We could potentially fix it by extending the wire
>> protocol to allow the server to respond to the client's startup packet
>> with a further challenge, and extend libpq to report that challenge
>> back to the user and allow sending a response. But that would break
>> on-the-wire compatibility, which we haven't done in a good 10 years,
>> and certainly wouldn't be worthwhile just for this.
> We were just talking about "things we'd like to do in wire protocol 4".
>
> Allowing multi-stage authentication has come up repeatedly and should
> perhaps go on that list. The most obvious case being "ident auth failed,
> demand md5".
>
I wonder what you think about continuing to use the already
established connection to the server while you move onto perform
authentication using next method in the list. Earlier in this thread,
I had proposed to make changes to PGconnectPoll() to introduce an
additional connection state which is kind of an intermediate state in
the authentication sequence. For example, server might ask for a
password (md5, password methods) and client might want to send the
password over the existing connection by leveraging this new
connection state. This is unlike what we do, for example, in psql,
where we drop the connection (upon CONNECTION_BAD due to password
required), get password using a prompt and then create a new
connection with password included in the request.
--
Amit Langote
