> What I am suggesting here is that in order to handle properly SCRAM > with channel binding, pgpool has to provide a different handling for > client <-> pgpool and pgpool <-> Postgres. In short, I don't have a > better answer than having pgpool impersonate the server and request > for a password in cleartext through an encrypted connection between > pgpool and the client if pgpool does not know about it, and then let > pgpool do by itself the SCRAM authentication on a per-connection basis > with each Postgres instances. When using channel binding, what would > matter is the TLS finish (for tls-unique) or the hash server > certificate between Postgres and pgpool, not between the client and > pgpool. But that's actually the point you are raising here:
Using a clear text password would not be acceptable for users even through an encrypted connection, I think. Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers