On Fri, Aug 09, 2019 at 09:28:50AM -0400, Stephen Frost wrote:
> I don't really care for auth_protocol as that's pretty close to
> "auth_method" and that isn't what we're talking about here- this isn't
> the user picking the auth method, per se, but rather saying which of the
> password-based mechanisms for communicating that the user knows the
> password is acceptable. Letting users choose which auth methods are
> allowed might also be interesting (as in- we are in a Kerberized
> environment and therefore no client should ever be using any auth method
> except GSS, could be a reasonable ask) but it's not the same thing.
>
> What restriction are you suggesting here wrt krb5..?
What I suggested in this previous set of emails is if it would make
sense to extend what libpq can restrict at authentication time to not
only be password-based authentication methods, but also if we could
have a connection parameter allowing us to say "please I want krb5/gss
and nothing else". My point is that password-based authentication is
only one portion of the problem as what we are looking at is applying
a filtering on AUTH_REQ messages that libpq receives from the server
(SCRAM with and without channel binding is an exception as that's
handled as part of the SASL set of messages), but at a high level we
are going to need a filtering of the first authentication message
received anyway.
But that's also basically what you outline in this previous paragraph
of yours.
--
Michael