[pgpool-general: 7928] Re: Problem using password authentication

Jon SCHEWE jon.schewe at raytheon.com
Sat Dec 11 01:16:14 JST 2021 

Replying to both messages here.

Changing pool_hba.conf from "password" to "trust" doesn't change the remote connections. To be clear, connections from the same subnet as the pgpool host work just fine. Connections from a subnet other than the pgpool subnet fail immediately.

> > I'm using password authentication over SSL. This works fine with connections from the same network, but doesn't work with connections from another network. Can anyone explain why this isn't working?
> >
> > in pgpool.conf:
> > enable_pool_hba = on
> > pool_passwd = ''
> >
> >
> > in pool_hba.conf:
> > # "local" is for Unix domain socket connections only
> > local   all         all                               trust
> > # IPv4 local connections:
> > host    all         all         127.0.0.1/32          trust
> > host    all         all         ::1/128               trust
> >
> > hostssl    all         all           0.0.0.0/0          password
> >
> > log output:
> > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: WARNING:  unable to get password, password file descriptor is NULL
> > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: FATAL:  client authentication failed
> > Dec  7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: DETAIL:  no pool_hba.conf entry for host "XXX.XXX.XXX.XXX", user "", database "", SSL off
> 
> Works for me. I am using Pgpool-II on the master branch HEAD (almost
> same as 4.3.0 at this point). Which version of Pgpool-II are you
> using?
> 
> psql -p 11000 -U foo -h localhost test
> Password for user foo:
> psql (14.1)
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
> Type "help" for help.
> 
> test=> \q

This works fine for me as it's a localhost connection. It's when I'm connecting from a subnet other than the one the pgpool master is on.

> From pgpool.conf:
> 
> pool_passwd = ''
> enable_pool_hba = on
> ssl = on
> ssl_key = 'server.key'
> ssl_cert = 'server.crt'
> ssl_prefer_server_ciphers = on
> ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'
> 
> From pool_hba.conf:
> hostssl    all         foo         0.0.0.0/0          password
> 
> From pg_hba.conf:
> hostssl      all   foo     0/0    scram-sha-256

I have "password" is the mechanism in both pool_hba.conf and pg_hba.conf.
I do have pg_hba.conf limited to allow connections only from the pgpool hosts.


> Cann you provide pgpool.log with log_min_messages = debug5 ?

That is attached. Note that XXX.XXX.XXX.* and YYY.YYY.YYY.* are different subnets.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.log
Type: text/x-log
Size: 234315 bytes
Desc: debug.log
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20211210/9e36caf6/attachment-0001.bin>

More information about the pgpool-general mailing list