index dbe23db54f05b0628007fca975b4d480b41d0b02..64753d9c014ad4cbbb1719b3edd9d73c9a8d6dd9 100644 (file)
CA.
</para>
+ <para>
+ To prevent server spoofing from occurring when using
+ <link linkend="auth-password">scram-sha-256</link> password authentication
+ over a network, you should ensure that you connect to the server using SSL
+ and with one of the anti-spoofing methods described in the previous
+ paragraph. Additionally, the SCRAM implementation in
+ <application>libpq</application> cannot protect the entire authentication
+ exchange, but using the <literal>channel_binding=require</literal> connection
+ parameter provides a mitigation against server spoofing. An attacker that
+ uses a rogue server to intercept a SCRAM exchange can use offline analysis to
+ potentially determine the hashed password from the client.
+ </para>
+
<para>
To prevent spoofing with GSSAPI, the server must be configured to accept
only <literal>hostgssenc</literal> connections