On Thu, Aug 08, 2019 at 11:16:24PM -0700, Jeff Davis wrote: > On Fri, 2019-08-09 at 12:00 +0900, Michael Paquier wrote: > > What about auth_protocol then? It seems to me that it could be > > useful > > to have the restriction on AUTH_REQ_MD5 as well. > > auth_protocol does sound like a good name. I'm not sure what you mean > regarding MD5 though.
Sorry, I meant krb5 here.
> We already have that concept to a lesser extent, with the md5
> authentication method also permitting scram-sha-256.
That's present to ease upgrades, and once the AUTH_REQ part is
received the client knows what it needs to go through.
> That sounds good, but there are a lot of possibilities and I can't
> quite decide which way to go.
>
> We could expose it as an SASL option like:
>
> saslmode = {disable|prefer|require-scram-sha-256|require-scram-sha-
> 256-plus}
Or we could shape password_protocol so as it takes a list of
protocols, as a white list of authorized things in short.
--
Michael
signature.asc
Description: PGP signature
