[pgpool-general: 4548] Re: md5 authentication without pool_passwd

Tatsuo Ishii ishii at postgresql.org
Tue Mar 15 08:02:30 JST 2016


> Hi all,
> 
> this is an enhancement request.
> AFAIK currently the only way to use md5 authentication with pgpool-II and
> PostgreSQL is the following:
> 
>    - setup pool_hba file to enforce md5 authentication from client hosts
>    - setup pool_passwd file with users and passwords to be used by the
>    clients
>    - setup pg_hba file to enforce md5 authentication from pgpool host(s)
>    - create users in PostgreSQL with the same password as in pool_passwd
>    file.
> 
> This works perfectly and is the way suggested in the manual.
> 
> The problem with this setup is that it is cumbersome and error prone to
> keep pool_passwd aligned with postgresql users.
> In order to add a new user we need to add it in postgresql, add it in
> pool_passwd and reload pgpool to read again pool_passwd file.
> 
> It would be great to find a way to bypass pgpool authentication and
> authenticate only in PostgreSQL.
> If PostgreSQL authentication succeeds, client authentication succeeds,
> otherwise it fails.
> In this way there will be no double authentication against pgpool and
> against postgresql.
> Moreover users and passwords will be only in PostgreSQL, where their
> management is easier.
> 
> I don't know if this is technically feasible but it could work like that:
> 
>    - setup pool_hba to enforce md5 authentication from client hosts
>    - disable the use of pool_passwd
>    - setup pg_hba to enforce md5 authentication from pgpool host
>    - create users in PostgreSQL.
> 
> In this setup pgpool will simply try md5 authentication against PostgreSQL
> with user and password provided by the client, and reports success or
> failure to the client.
> 
> Obviously if there is a mismatch between the authentication enforced in
> pool_hba and the one resulting from pg_hba an error will be returned.
> 
> I've opened a enhancement request
> http://www.pgpool.net/mantisbt/view.php?id=170
> 
> What do you think about this proposal?

The problem with your idea is, client needs to send a clear text
password to pgpool-II, that is regarded bad from modern security
design's point of view.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


More information about the pgpool-general mailing list