View Issue Details

IDProjectCategoryView StatusLast Update
0000374Pgpool-IIBugpublic2018-02-16 10:58
ReportermarcioAssigned Tot-ishii 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionopen 
Product Version3.7.0 
Target VersionFixed in Version 
Summary0000374: md5 authentication is broken
DescriptionThis issue may have relation with http://www.pgpool.net/mantisbt/view.php?id=196.

I have a server (10.80.15.164) running postgresql-10/pgpool-3.7 and a client (10.80.15.30) for testing.

If file pool_passwd does not contain the user trying to connect, it will prevent access, it's okay:

[root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco
psql: FATAL: md5 authentication failed
DETAIL: pool_passwd file does not contain an entry for "alfresco"

[root@10.80.15.164 pgpool-II]# cat pool_passwd
postgres:md5df745e1d739eeb8388a86357549c809f

----------------------------
If file pool_passwd contains any hash, even if it does not match the password for the user, it will allow access. It appears that pgpool is not checking the password given against the md5 hash in pool_passwd.

[root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco <<<-- no password
psql (10.0, server 10.1)
Type "help" for help.

alfresco=>

[root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 9999 -d alfresco -U alfresco -W <<<-- type any text when asked for password
psql (10.0, server 10.1)
Type "help" for help.

alfresco=>

[root@10.80.15.164 pgpool-II]# cat pool_passwd
postgres:md5df745e1d739eeb8388a86357549c809f
alfresco:md5abc <<<-- invalid/wrong

-------
If I connect in port 5432 and type the wrong password, the access is not allowed.
[root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 5432 -d alfresco -U alfresco
Password for alfresco:
psql: FATAL: password authentication failed for user "alfresco"

But, if I type the correct password, the access is allowed.
[root@10.80.15.30 ~]# psql -h 10.80.15.164 -p 5432 -d alfresco -U alfresco
Password for alfresco:
psql (10.0, server 10.1)
Type "help" for help.

alfresco=>
Steps To ReproduceHere the config files:

[root@10.80.15.164 pgpool-II]# cat pool_hba.conf
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host alfresco alfresco 10.80.15.30/32 md5


[root@10.80.15.164 pgpool-II]# cat pgpool.conf
[snip]
enable_pool_hba = true
pool_passwd = 'pool_passwd'
connection_cache = off


[root@10.80.15.164 pgpool-II]# cat /var/lib/pgsql/10/data/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
#
host alfresco alfresco 10.80.15.30/32 md5
Additional InformationI think that pgpool is ignoring the content in pool_passwd, allowing access with no password or any password.

Regards.
TagsNo tags attached.

Activities

t-ishii

2017-12-24 18:07

developer   ~0001879

Your pg_hba.conf allows Pgpool-II to connect to PostgreSQL without password since the pg_hba.conf includes following lines:

# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust

You should change "trust" to "md5"for those lines in the pg_hba.conf.

See FAQ for more information.
https://pgpool.net/mediawiki/index.php/FAQ#I_created_pool_hba.conf_and_pool_passwd_to_enable_md5_authentication_through_pgpool-II_but_it_does_not_work._Why.3F

t-ishii

2017-12-27 13:11

developer   ~0001881

May close this issue?

marcio

2017-12-27 22:07

reporter   ~0001884

Hi!
I will test again and report if it not work.
BR.

t-ishii

2017-12-28 14:04

developer   ~0001885

Ok, if I see no feedback within 1 month, I will close this issue.

Issue History

Date Modified Username Field Change
2017-12-23 00:46 marcio New Issue
2017-12-24 18:07 t-ishii Note Added: 0001879
2017-12-27 13:11 t-ishii Note Added: 0001881
2017-12-27 13:12 t-ishii Assigned To => t-ishii
2017-12-27 13:12 t-ishii Status new => feedback
2017-12-27 22:07 marcio Note Added: 0001884
2017-12-27 22:07 marcio Status feedback => assigned
2017-12-28 14:04 t-ishii Note Added: 0001885
2017-12-28 14:04 t-ishii Status assigned => feedback
2018-02-16 10:58 t-ishii Status feedback => closed