[pgpool-general: 7036] Re: SSL authentication in Pgpool
Tatsuo Ishii
ishii at sraoss.co.jp
Sat May 23 12:55:47 JST 2020
>> >>> Can you elaborate what is your security concern?
>>
> That the password will be in plain text ( not encrypted ) and can be
> compromised. Or I am missing something here.
If you are talking about passwords flying between frontend and pgpool
using enable allow_clear_text_frontend_auth, then yes. But you can use
SSL to protect passwords from attacker.
> But when I am trying to login via psql (using pgpool user) , it is giving
> me belwo error. I tried using pool_password file ( pgpool:AESxxxxx) as
> well but no luck.
> # psql -p 9999-h hostname -U pgpool
> psql: ERROR: unable to read message length
> DETAIL: message length (23) in slot 1 does not match with slot 0(42)
> ERROR: unable to read message length
> DETAIL: message length (23) in slot 1 does not match with slot 0(42)
> *Pgpool log:*
> 2020-05-22 16:24:54: pid 11774: ERROR: unable to read message length
> 2020-05-22 16:24:54: pid 11774: DETAIL: message length (23) in slot 1 does
> not match with slot 0(42)
> * All users who has md5 password and is has entry in pool_passwd file are
> logging successfully( using psql and pgpool) but problem is with user
> having SCRAM password.
>
> Questions:
> - What am I doing wrong in above step?
It seems the entry for the "pgpool" user in pg_hba.conf is different
among backends.
> - What are the steps , if I need to use combination of md5 and SCRAM
> passwords?
> - when do I need to use pool_hba?
In this case (using allow_clear_text_frontend_auth) you do not need to
use pool_hba.conf.
> - Is it true that pool_passwd file works only for md5 passwords?
No.
> If yes,
> then how users with SCRAM password enabled will be able to connect using
> pgpool?
You need to set up SCRAM password in pool_passwd.
>> >>>A password in pool_passwd is used if health_check_password is an empty
>> >>>string.
>>
>> > - Some Detail msg in pgpool log that I an mot sure of ? what is server
>> > here ( pgpool or postgres) - server doesn't want to talk SSL
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate backend: key data
>> > received
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate backend: transaction
>> > state: I
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure
>> > connection
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: sending client->server SSL
>> request
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure
>> > connection
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: client->server SSL response: N
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure
>> > connection
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: *server doesn't want to talk SSL*
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate kind = 0
>>
>> >>> "server" means PostgreSQL here.
>> Thanks
>>
> What is the meaning of this message ? server doesn't want to talk SSL
PostgreSQL is not ready for accepting SSL connection from pgpool.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-general
mailing list