On Mon, 2022-03-07 at 11:44 +0100, Laurenz Albe wrote: > I am all for the idea, but you implemented the reverse of proposal 2.
(This email was caught in my spam filter; sorry for the delay.) > Wouldn't it be better to list the *rejected* authentication methods? > Then we could have "password" on there by default. Specifying the allowed list rather than the denied list tends to have better security properties. In the case I'm pursuing (the attack vector from the CVE), the end user expects certificates to be used. Any other authentication method -- plaintext, hashed, SCRAM, Kerberos -- is unacceptable; it shouldn't be possible for the server to extract any information about the client environment other than the cert. And I don't want to have to specify the whole list of things that _aren't_ allowed, and keep that list updated as we add new fancy auth methods, if I just want certs to be used. So that's my argument for making the methods opt-in rather than opt-out. But that doesn't help your case; you want to choose a good default, and I agree that's important. Since there are arguments already for accepting a OR in the list, and -- if we couldn't find a good orthogonal method for certs, like Tom suggested -- an AND, maybe it wouldn't be so bad to accept a NOT as well? require_auth=cert # certs only require_auth=cert+scram-sha-256 # SCRAM wrapped by certs require_auth=cert,scram-sha-256 # SCRAM or certs (or both) require_auth=!password # anything but plaintext require_auth=!password,!md5 # no plaintext or MD5 But it doesn't ever make sense to mix them: require_auth=cert,!password # error: !password is useless require_auth=!password,password # error: nonsense --Jacob