<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Can you connect to "the database" from port 9999?<br>
<br>
psql --host=blarge.example.com --username=postgres --port=9999<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 3/29/23 10:35, Todd Stein wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN8PR18MB3027AA7D7C7818A129031502F3899@BN8PR18MB3027.namprd18.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Ron,<o:p></o:p></p>
<p class="MsoNormal">Thanks for your response.<o:p></o:p></p>
<p class="MsoNormal">I should have not included the reference to
pcp.conf and pool_passwd files. These are well documented,
and made my question unclear.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>This one statement is the one I need
help with:</b><i><br>
<o:p></o:p></i></p>
<p class="MsoNormal"><i>“In my testing I find that if the
password in ~/.pgpass includes the AES prefix in the
encrypted password, I get password authentication failed for
user “postgres” when the system tries to start a replication
slot.”<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>More detail:<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal">Here are a few lines from the
postgresql-Wed.log file. This entry corresponds to a
pcp_recovery_node command:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2023-03-29 11:20:27.378 EDT [660839]
STATEMENT: START_REPLICATION SLOT "pg_basebackup_660839"
3/7000000 TIMELINE 76<o:p></o:p></p>
<p class="MsoNormal">2023-03-29 11:20:30.860 EDT [660848]
FATAL: password authentication failed for user "postgres"<o:p></o:p></p>
<p class="MsoNormal">2023-03-29 11:20:30.860 EDT [660848]
DETAIL: Connection matched pg_hba.conf line 108: "host all
postgres 0.0.0.0/0
scram-sha-256"<o:p></o:p></p>
<div>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="color:black;mso-ligatures:none" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="color:black;mso-ligatures:none" lang="EN-US">During
the pcp_recovery_node process the system attempts to
create a replicaion slot, and fails… I’m trying to figure
out why.<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:15.0pt"><b><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:black;mso-ligatures:none"
lang="EN-US">Todd Stein</span></b><span
style="mso-ligatures:none" lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">From:</span></b><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US"> pgpool-general
<a class="moz-txt-link-rfc2396E" href="mailto:pgpool-general-bounces@pgpool.net"><pgpool-general-bounces@pgpool.net></a>
<b>On Behalf Of </b>Ron<br>
<b>Sent:</b> Wednesday, March 29, 2023 11:18 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:pgpool-general@pgpool.net">pgpool-general@pgpool.net</a><br>
<b>Subject:</b> [pgpool-general: 8688] Re: password file
format<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 3/29/23 09:52, Todd Stein wrote:<br>
<br>
<span style="mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal">Will someone please correct or confirm my
assumption of the SCRAM-SHA-256 password file format for
$HOME/.pgpass and $HOME/.pcppass files?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m not sure if I should be using the
password with the AES prefix outside of the pool_password
file or not. For example in the .pgpass and/or .pcppass
files.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">$ pg_enc -k ~/.pgpoolkey -u postgres -p<o:p></o:p></p>
<p class="MsoNormal">db password:<o:p></o:p></p>
<p class="MsoNormal">trying to read key from file
/var/lib/pgsql/.pgpoolkey<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>P1+l8j3GaTxzSBgcY1laEQ==</b><o:p></o:p></p>
<p class="MsoNormal">pool_passwd string: <b>AESP1+l8j3GaTxzSBgcY1laEQ==</b><o:p></o:p></p>
<p class="MsoNormal"><b> </b><o:p></o:p></p>
<p class="MsoNormal">My understanding (please correct me if
I’m wrong), is that the pcp.conf file must use md5
encryption regardless of what your password_encryption in
the DB is.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"><br>
pcp is for managing PgPool.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">The pool_password file (when using
scram-sha-256 encryption) requires the string it gets
automatically (which includes the AES prefix) by the pg_enc
command when providing the “-m” attribute.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"><br>
pool_passwd is for accessing Postgresql databases. Their
"user lists" are completely separate. You can, for example,
have user "blarge" in pcp.conf but not in pool_passwd (and
by extension be a Postgresql role).<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">However, I’ve not been able to find
anything documented for the password files.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"><br>
What do you mean? <a
href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.pgpool.net%2Fdocs%2F43%2Fen%2Fhtml%2Fauth-methods.html&data=05%7C01%7Ctodd.stein%40microfocus.com%7C74b196748d38442770ac08db3068d1a7%7C856b813c16e549a585ec6f081e13b527%7C0%7C0%7C638156998980302068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SoP1bzxnsvnmNLUJVD9Ue9VKvbW%2BTXWw2c6ATDmAT1U%3D&reserved=0"
moz-do-not-send="true">
https://www.pgpool.net/docs/43/en/html/auth-methods.html</a>
describes pool_passwd, and describes how to create MD5 and
SHA256 hashes.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> I’m pretty sure I’ve seen that if I
were to use an encrypted password (scram-sha-256) in the
pgpool.conf file, it must include the AES prefix.
<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"><br>
pg_enc does that for you.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In my testing I find that if the password
in ~/.pgpass includes the AES prefix in the encrypted
password, I get password authentication failed for user
“postgres” when the system tries to start a replication
slot.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"><br>
That needs more detail.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB">--
<br>
Born in Arizona, moved to Babylonia.<o:p></o:p></span></p>
</div>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Born in Arizona, moved to Babylonia.</div>
</body>
</html>