[pgpool-general: 7924] Re: Problem using password authentication

Thu Dec 9 02:17:22 JST 2021

Yes, I saw the instructions on handling the auth methods. In my case I don't want to do the maintenance to create a separate entry in a password file on all hosts when I create new users in postgresql. Using clear text passwords avoids the maintenance of needing to create every user in a separate file on all nodes in addition to the usual create role command in postgresql. Wrapping it in ssl makes it reasonably secure.

Jon Schewe

Principal Software Systems Technologist

C: +1 612.263.2718

O: +1 952.545.5720

jon.schewe at raytheon.com

Raytheon Technologies

Raytheon Intelligence & Space

5775 Wayzata Blvd. Suite 630

St. Louis Park, MN 55416

RTX.com
|
LinkedIn
|
Twitter
|
Instagram

From: Wolf Schwurack <wolf at uen.org>
Sent: Wednesday, December 8, 2021 10:48
To: Jon SCHEWE <jon.schewe at raytheon.com>; Bo Peng <pengbo at sraoss.co.jp>
Cc: pgpool-general at pgpool.net <pgpool-general at pgpool.net>
Subject: [External] Re: [pgpool-general: 7920] Re: Problem using password authentication 

Not sure why anyone would want to use clear text password but that is your deal. If you look at the link below it show the auth-method to use
https://www.pgpool.net/docs/42/en/html/auth-pool-hba-conf.html

Wolf 

From: Jon SCHEWE <jon.schewe at raytheon.com>
Date: Wednesday, December 8, 2021 at 9:39 AM
To: Wolfgang Schwurack <wolf at uen.org>, Bo Peng <pengbo at sraoss.co.jp>
Cc: "pgpool-general at pgpool.net" <pgpool-general at pgpool.net>
Subject: Re: [pgpool-general: 7920] Re: Problem using password authentication

I'm using "password" authentication. As in the password is sent as clear text (inside SSL) to pgpool and then on to postgres. This is a valid option instead of "trust", "md5", etc. And it is working from the same network, just not from other networks.

Jon Schewe
Principal Software Systems Technologist

C: +1 612.263.2718
O: +1 952.545.5720
jon.schewe at raytheon.com

Raytheon Technologies
Raytheon Intelligence & Space
5775 Wayzata Blvd. Suite 630
St. Louis Park, MN 55416 

RTX.com | LinkedIn | Twitter | Instagram 

From: Wolf Schwurack <wolf at uen.org>
Sent: Wednesday, December 8, 2021 09:34
To: Jon SCHEWE <jon.schewe at raytheon.com>; Bo Peng <pengbo at sraoss.co.jp>
Cc: pgpool-general at pgpool.net <pgpool-general at pgpool.net>
Subject: [External] Re: [pgpool-general: 7920] Re: Problem using password authentication 

First of all you don't put the password in pool_hba.conf this should 'trust, md5 etc. Password are encrypted in pool_passwd. If you read the documents it going over all of this

Wolf

On 12/8/21, 8:24 AM, "pgpool-general on behalf of Jon SCHEWE" <pgpool-general-bounces at pgpool.net on behalf of jon.schewe at raytheon.com> wrote:

    > > I'm using password authentication over SSL. This works fine with connections from the same network, but doesn't work with connections from another network. Can anyone explain why this isn't working?
    > >
    > > in pgpool.conf:
    > > enable_pool_hba = on
    > > pool_passwd = ''
    > >
    > >
    > > in pool_hba.conf:
    > > # "local" is for Unix domain socket connections only
    > > local   all         all                               trust
    > > # IPv4 local connections:
    > > host    all         all         127.0.0.1/32          trust
    > > host    all         all         ::1/128               trust
    > >
    > > hostssl    all         all           0.0.0.0/0          password
    > >
    > > log output:
    > > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: WARNING:  unable to get password, password file descriptor is NULL
    > > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: FATAL:  client authentication failed
    > > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: DETAIL:  no pool_hba.conf entry for host "XXX.XXX.XXX.XXX", user "", database "", SSL off
    > 
    > I am wondering why the "user" and "database" are blank.
    > Can you connect to PostgreSQL from another network?

    Our firewall limits access to PostgreSQL from other networks to prevent applications from connecting to the individual instances rather than pgpool.

    My pg_hba.conf for PostgreSQL limits connections to the pgpool hosts. In this case the pgpool virtual IP is 192.1.213.40 and the 3 hosts are allowed to connect to PostgreSQL directly.

    hostssl all all 192.1.213.41/32 password
    hostssl all all 192.1.213.42/32 password
    hostssl all all 192.1.213.43/32 password
    _______________________________________________
    pgpool-general mailing list
    pgpool-general at pgpool.net
    http://www.pgpool.net/mailman/listinfo/pgpool-general