From 761c79508e7fbc33c1b11754bdde4bd03ce9cbb3 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 15 Jan 2025 17:55:18 +0100 Subject: postgres_fdw: SCRAM authentication pass-through This enables SCRAM authentication for postgres_fdw when connecting to a foreign server without having to store a plain-text password on user mapping options. This is done by saving the SCRAM ClientKey and ServeryKey from the client authentication and using those instead of the plain-text password for the server-side SCRAM exchange. The new foreign-server or user-mapping option "use_scram_passthrough" enables this. Co-authored-by: Matheus Alcantara Co-authored-by: Peter Eisentraut Discussion: https://www.postgresql.org/message-id/flat/27b29a35-9b96-46a9-bc1a-914140869dac@gmail.com --- src/interfaces/libpq/fe-auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/interfaces/libpq/fe-auth.c') diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 14a9a862f51..7e478489b71 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -559,7 +559,7 @@ pg_SASL_init(PGconn *conn, int payloadlen) * First, select the password to use for the exchange, complaining if * there isn't one and the selected SASL mechanism needs it. */ - if (conn->password_needed) + if (conn->password_needed && !conn->scram_client_key_binary) { password = conn->connhost[conn->whichhost].password; if (password == NULL) -- cgit v1.2.3