[pgpool-general: 4551] Re: md5 authentication without pool_passwd
Tatsuo Ishii
ishii at postgresql.org
Tue Mar 15 17:51:00 JST 2016
> For your information, here is what pgpool-II does in the current md5
> implementation.
>
> 1) PostgreSQL and pgpool stores md5(password+username) into
> pool_password or pg_authid. From now on I denote string
> "password+username" as "S"
>
> 2) When md5 auth is requested, pgpool sends a random number salt "s0"
> to frontend.
>
> 3) Frontend replies back to pgpool with md5(S+s0).
>
> 4) pgpool extracts S from ppool_passwd and calculate md5(S+s0). If #3
> and #4 matches, goes to next step.
>
> 5) Each backend sends salt to pgpool. Suppose we have two backends b1
> and b2, and salts are s1 and s2.
>
> 6) pgpool extracts S from ppool_passwd and calculate md5(S+s1) and send
> it to b1. pgpool extracts S from ppool_passwd and calculate md5(S+s2)
> and send it to b2.
>
> 7) If b1 and b2 agree with the authentication, the whole md5 auth
> process succeeds.
I have put above into our FAQ.
http://pgpool.net/mediawiki/index.php/FAQ#How_does_pgpool-II_handle_md5_authentication.3F
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-general
mailing list