Re: BUG #16079: Question Regarding the BUG #16064 - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: BUG #16079: Question Regarding the BUG #16064
Date
Msg-id YLl9ZPihn+kI/oHk@paquier.xyz
Whole thread Raw
In response to Re: BUG #16079: Question Regarding the BUG #16064  (Jeff Davis <pgsql@j-davis.com>)
List pgsql-hackers
On Thu, Jun 03, 2021 at 11:02:56AM -0700, Jeff Davis wrote:
> My feeling after all of that discussion is that the next step would be
> to move to some kind of negotiation between client and server about
> which methods are mutually acceptable. Right now, the protocol is
> structured around the server driving the authentication process, and
> the most the client can do is abort.

FWIW, this sounds very similar to what SASL solves when we try to
select a mechanism name, plus some filtering applied in the backend
with some HBA rule or some filtering in the frontend with a connection
parameter doing the restriction, like channel_binding here.

Introducing a new libpq parameter that allows the user to select which
authentication methods are allowed has been discussed in the past, I
remember vaguely writing/reviewing a patch doing that actually..
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: checking return value from unlink in write_relcache_init_file
Next
From: Tom Lane
Date:
Subject: Re: checking return value from unlink in write_relcache_init_file