There has been some prior discussion, that we recently continued at, about what to do if a client wants to use a "strong" authentication mechanism but a rogue server forces the client to use a weaker authentication mechanism. This is the case if the client expects SCRAM to be used but a rogue server just replies with AuthenticationCleartextPassword, for example. Client drivers will authenticate using this latter mechanism, transparently (at least pgjdbc implementation does this, and I believe libpq also). This somehow defeats the purpose of some mechanisms like SCRAM.

It was discussed to add a parameter to the driver like "SCRAM-only", but I think this may not be ideal. "SCRAM-only" means that code needs to be written to prevent every other authentication mechanism, explicitly, which is far from ideal. Much worse, it defeats using other auth mechanisms that might be OK for the user. Also, this doesn't consider whether SCRAM is good without channel binding.

I think it would be better to make a categorization of authentication mechanisms and then have an agreement among libpq and drivers to set a minimum level of security based on the user's request. Some initial ideas are:

- Three security levels: Basic, Medium, Advanced.
- Prevents MITM / does not.
- Given this X possible attacks, a matrix of which mechanisms avoid which attacks (something similar to the table comparing the possible effects of the different isolation levels).

This is not trivial: for example, SCRAM may be OK without channel binding in the presence of SSL, but without SSL channel binding is a must to prevent MITM. Similarly, are other auth mechanisms like Kerberos (I'm not an expert here) as "safe" as SCRAM with our without channel binding?

I believe this should be discussed and find a common agreement to be implemented by libpq and all the drivers, including a single naming scheme for the parameter and possible values. Opinions?



Álvaro Hernández Tortosa


Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to