[pgpool-general: 4548] Re: md5 authentication without pool_passwd
Tatsuo Ishii
ishii at postgresql.org
Tue Mar 15 08:02:30 JST 2016
> Hi all,
>
> this is an enhancement request.
> AFAIK currently the only way to use md5 authentication with pgpool-II and
> PostgreSQL is the following:
>
> - setup pool_hba file to enforce md5 authentication from client hosts
> - setup pool_passwd file with users and passwords to be used by the
> clients
> - setup pg_hba file to enforce md5 authentication from pgpool host(s)
> - create users in PostgreSQL with the same password as in pool_passwd
> file.
>
> This works perfectly and is the way suggested in the manual.
>
> The problem with this setup is that it is cumbersome and error prone to
> keep pool_passwd aligned with postgresql users.
> In order to add a new user we need to add it in postgresql, add it in
> pool_passwd and reload pgpool to read again pool_passwd file.
>
> It would be great to find a way to bypass pgpool authentication and
> authenticate only in PostgreSQL.
> If PostgreSQL authentication succeeds, client authentication succeeds,
> otherwise it fails.
> In this way there will be no double authentication against pgpool and
> against postgresql.
> Moreover users and passwords will be only in PostgreSQL, where their
> management is easier.
>
> I don't know if this is technically feasible but it could work like that:
>
> - setup pool_hba to enforce md5 authentication from client hosts
> - disable the use of pool_passwd
> - setup pg_hba to enforce md5 authentication from pgpool host
> - create users in PostgreSQL.
>
> In this setup pgpool will simply try md5 authentication against PostgreSQL
> with user and password provided by the client, and reports success or
> failure to the client.
>
> Obviously if there is a mismatch between the authentication enforced in
> pool_hba and the one resulting from pg_hba an error will be returned.
>
> I've opened a enhancement request
> http://www.pgpool.net/mantisbt/view.php?id=170
>
> What do you think about this proposal?
The problem with your idea is, client needs to send a clear text
password to pgpool-II, that is regarded bad from modern security
design's point of view.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-general
mailing list