Greetings,
* Magnus Hagander (magnus@hagander.net) wrote:
> On Mon, Dec 21, 2020 at 7:44 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > BTW, do we have a client-side setting to insist that passwords not be
> > sent in MD5 hashing either? A person who is paranoid about this would
> > likely want to disable that code path as well.
>
> I don't think we do, and we possibly should. You can require channel
> binding which will require scram which solves the problem, but it does
> so only for scram.
>
> IIRC we've discussed having a parameter that says "allowed
> authentication methods" on the client as well, but I don't believe it
> has been built. But it wouldn't be bad to be able to for example force
> the client to only attempt gssapi auth, regardless of what the server
> asks for, and just fail if it's not there.
The client is able to require a GSS encrypted connection, and a savy
user will realize that they should 'kinit' (or equivilant) locally and
never provide their password explicitly to the psql (or equivilant)
command, but that's certainly less than ideal.
Having a way to explicitly tell libpq what auth methods are acceptable
was discussed previously and does generally seem like a good idea, as
otherwise there's a lot of risk of what are essentially downgrade
attacks.
Thanks,
Stephen