Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Jeff Janes <jeff.janes@gmail.com> writes:
> > On Sun, Dec 20, 2020 at 7:58 PM Stephen Frost <sfrost@snowman.net> wrote:
> >> * Magnus Hagander (magnus@hagander.net) wrote:
> >>> Maybe we should do the same for LDAP (and RADIUS)? This seems like a
> >>> better place to put it than to log it at every time it's received?
>
> >> A dollar short and a year late, but ... +1.
>
> > I would suggest going further. I would make the change on the client side,
> > and have libpq refuse to send unhashed passwords without having an
> > environment variable set which allows it.
>
> As noted, that would break LDAP and RADIUS auth methods; likely also PAM.
Which would be an altogether good thing as all of those end up exposing
sensitive information should the server be compromised and a user uses
one of them to log in.
The point would be to make it clear to the user, while having an escape
hatch if necessary, that they're sending their password (or pin in the
RADIUS case) to the server.
> > What is the value of logging on the server side?
>
> I do agree with this point, but mostly on the grounds of "nobody reads
> the server log".
I agree that doing this server side really isn't all that helpful.
Thanks,
Stephen