View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000374 | Pgpool-II | Bug | public | 2017-12-23 00:46 | 2018-02-16 10:58 |
| Reporter | marcio | Assigned To | t-ishii | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | open | ||
| Product Version | 3.7.0 | ||||
| Summary | 0000374: md5 authentication is broken | ||||
| Description | This issue may have relation with http://www.pgpool.net/mantisbt/view.php?id=196. I have a server (10.80.15.164) running postgresql-10/pgpool-3.7 and a client (10.80.15.30) for testing. If file pool_passwd does not contain the user trying to connect, it will prevent access, it's okay: [root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco psql: FATAL: md5 authentication failed DETAIL: pool_passwd file does not contain an entry for "alfresco" [root@10.80.15.164 pgpool-II]# cat pool_passwd postgres:md5df745e1d739eeb8388a86357549c809f ---------------------------- If file pool_passwd contains any hash, even if it does not match the password for the user, it will allow access. It appears that pgpool is not checking the password given against the md5 hash in pool_passwd. [root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco <<<-- no password psql (10.0, server 10.1) Type "help" for help. alfresco=> [root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco -W <<<-- type any text when asked for password psql (10.0, server 10.1) Type "help" for help. alfresco=> [root@10.80.15.164 pgpool-II]# cat pool_passwd postgres:md5df745e1d739eeb8388a86357549c809f alfresco:md5abc <<<-- invalid/wrong ------- If I connect in port 5432 and type the wrong password, the access is not allowed. [root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 5432 -d alfresco -U alfresco Password for alfresco: psql: FATAL: password authentication failed for user "alfresco" But, if I type the correct password, the access is allowed. [root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 5432 -d alfresco -U alfresco Password for alfresco: psql (10.0, server 10.1) Type "help" for help. alfresco=> | ||||
| Steps To Reproduce | Here the config files: [root@10.80.15.164 pgpool-II]# cat pool_hba.conf # TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust host all all ::1/128 trust host alfresco alfresco 10.80.15.30/32 md5 [root@10.80.15.164 pgpool-II]# cat pgpool.conf [snip] enable_pool_hba = true pool_passwd = 'pool_passwd' connection_cache = off [root@10.80.15.164 pgpool-II]# cat /var/lib/pgsql/10/data/pg_hba.conf # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust # host alfresco alfresco 10.80.15.30/32 md5 | ||||
| Additional Information | I think that pgpool is ignoring the content in pool_passwd, allowing access with no password or any password. Regards. | ||||
| Tags | No tags attached. | ||||
|
|
Your pg_hba.conf allows Pgpool-II to connect to PostgreSQL without password since the pg_hba.conf includes following lines: # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust You should change "trust" to "md5"for those lines in the pg_hba.conf. See FAQ for more information. https://pgpool.net/mediawiki/index.php/FAQ#I_created_pool_hba.conf_and_pool_passwd_to_enable_md5_authentication_through_pgpool-II_but_it_does_not_work._Why.3F |
|
|
May close this issue? |
|
|
Hi! I will test again and report if it not work. BR. |
|
|
Ok, if I see no feedback within 1 month, I will close this issue. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-12-23 00:46 | marcio | New Issue | |
| 2017-12-24 18:07 | t-ishii | Note Added: 0001879 | |
| 2017-12-27 13:11 | t-ishii | Note Added: 0001881 | |
| 2017-12-27 13:12 | t-ishii | Assigned To | => t-ishii |
| 2017-12-27 13:12 | t-ishii | Status | new => feedback |
| 2017-12-27 22:07 | marcio | Note Added: 0001884 | |
| 2017-12-27 22:07 | marcio | Status | feedback => assigned |
| 2017-12-28 14:04 | t-ishii | Note Added: 0001885 | |
| 2017-12-28 14:04 | t-ishii | Status | assigned => feedback |
| 2018-02-16 10:58 | t-ishii | Status | feedback => closed |
