[Pgpool-general] Authentication in replication mode
Walter Coole
WCoole at aperiogroup.com
Fri Mar 27 17:05:17 UTC 2009
Apologies if this duplicates a previous message, but it looks like the
previous one hasn't made it out (since I only subscribed recently):
This is probably a newbie question, but how does one configure pgpool
for reasonably secure authentication in replication mode?
My use case is one (not terribly) big database that I want to replicate
to a warm standby. Everything works OK with replication_mode = false,
regardless of which backend is configured.
With replication_mode = true, I get an error, "pool_do_auth: backend
does not return authenticaton ok". IIUC, this is because the md5
protocol asks the server to supply a salt to the client and the 2 hosts
don't come up with the same random number.
I can fix this by using "trust" or "password" authentication, but these
seem undesirable for our application, since the first doesn't protect
the database at all, and the second is highly vulnerable to packet
sniffers, etc. Theoretically, all our traffic is inside the firewall,
but that's not as reassuring as I'd wish.
I had (to the extent I'd thought about it) assumed pgpool would accept
an authentication from its client and make a separate authenticated
connection to each backend, but I don't see how to configure it to do
that.
Does pgpool support a more secure form of authentication? Is there a
more secure configuration to allow use of these "insecure" protocols
within a narrow enough scope that these vulnerabilities are protected?
Thanks!
Walter
PS. I'm using pgpool version 2.0.1(heemauli) on Red Hat Enterprise Linux
Server release 5.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://pgfoundry.org/pipermail/pgpool-general/attachments/20090327/a2845177/attachment.html
More information about the Pgpool-general
mailing list