Re: [PoC] Let libpq reject unexpected authentication requests - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PoC] Let libpq reject unexpected authentication requests
Date
Msg-id a14b1f89dcde75fb20afa7a1ffd2c2587b8d1a08.camel@vmware.com
Whole thread Raw
In response to Re: [PoC] Let libpq reject unexpected authentication requests  (Laurenz Albe <laurenz.albe@cybertec.at>)
Responses Re: [PoC] Let libpq reject unexpected authentication requests
List pgsql-hackers
On Mon, 2022-03-07 at 11:44 +0100, Laurenz Albe wrote:
> I am all for the idea, but you implemented the reverse of proposal 2.

(This email was caught in my spam filter; sorry for the delay.)

> Wouldn't it be better to list the *rejected* authentication methods?
> Then we could have "password" on there by default.

Specifying the allowed list rather than the denied list tends to have
better security properties.

In the case I'm pursuing (the attack vector from the CVE), the end user
expects certificates to be used. Any other authentication method --
plaintext, hashed, SCRAM, Kerberos -- is unacceptable; it shouldn't be
possible for the server to extract any information about the client
environment other than the cert. And I don't want to have to specify
the whole list of things that _aren't_ allowed, and keep that list
updated as we add new fancy auth methods, if I just want certs to be
used. So that's my argument for making the methods opt-in rather than
opt-out.

But that doesn't help your case; you want to choose a good default, and
I agree that's important. Since there are arguments already for
accepting a OR in the list, and -- if we couldn't find a good
orthogonal method for certs, like Tom suggested -- an AND, maybe it
wouldn't be so bad to accept a NOT as well?

    require_auth=cert                # certs only
    require_auth=cert+scram-sha-256  # SCRAM wrapped by certs
    require_auth=cert,scram-sha-256  # SCRAM or certs (or both)
    require_auth=!password           # anything but plaintext
    require_auth=!password,!md5      # no plaintext or MD5

But it doesn't ever make sense to mix them:

    require_auth=cert,!password      # error: !password is useless
    require_auth=!password,password  # error: nonsense

--Jacob

pgsql-hackers by date:

Previous
From: Kenaniah Cerny
Date:
Subject: Re: Proposal: allow database-specific role memberships
Next
From: Tom Lane
Date:
Subject: Re: MDAM techniques and Index Skip Scan patch