On 18.03.25 17:53, Jacob Champion wrote:
> On Tue, Mar 18, 2025 at 9:35 AM Peter Eisentraut <peter@eisentraut.org> wrote:
>> So the way I understand this is that the options are:
>>
>> (1) We add a libpq function like PQconnectionUsedScramKeys() in the
>> style of PQconnectionUsedPassword() and call that function during the
>> checks.
>>
>> (2) We make use_scram_passthrough=true imply require_auth=scram-sha-256.
>> This is essentially a way to get the info from (1) out of libpq using
>> existing facilities.
>
> Right.
>
>> But it would preempt certain setups that might
>> otherwise work. (Which ones? Are they important?)
>
> If the backend HBA later changes, to require delegated GSS or a
> different type of password authentication, the user will have to unset
> use_scram_passthrough (or ask the owner of the foreign server to unset
> it). Whereas before they could just add a password to their user
> mapping or enable delegation to move forward immediately.
>
> I think this is probably not a serious limitation, in practice.
Yeah, I think option (2) is enough for now. If someone wants to enable
the kinds of things you describe, they can always come back and
implement option (1) later.
