On Fri, Feb 15, 2019 at 03:41:37PM -0500, Hugh Ranalli wrote:
>
> I've been trying to implement scram-sha-256 passwords on PostgreSQL 11.1.
> However, connection attempts whether through Python (psycopg2) or psql fail
> with the message: "channel binding not supported by this build." I've tried
> clearing scram_channel_binding in my global psqlrc ("\set
> scram_channel_binding"), with no success.
>
> We are not using SSL for the connections, and the documentation labels this as
> an SASL authentication mechanism. Is SSL required for using scram-sha-256
> passwords? What am I missing?
The PG 11 release notes are clear that channel binding is not supported
in a usable way yet:
https://www.postgresql.org/docs/11/release-11.html
Add ability to use channel binding when using SCRAM authentication
(Michael Paquier)
Channel binding is intended to prevent man-in-the-middle attacks, but
SCRAM cannot prevent them unless it can be forced to be active.
Unfortunately, there is no way to do that in libpq. Support for it is
expected in future versions of libpq and in interfaces not built using
libpq, e.g. JDBC.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +