[pgpool-general: 8688] Re: password file format

Ron ronljohnsonjr at gmail.com
Thu Mar 30 00:18:10 JST 2023 

On 3/29/23 09:52, Todd Stein wrote:
>
> Hi,
>
> Will someone please correct or confirm my assumption of the SCRAM-SHA-256 
> password file format for $HOME/.pgpass and $HOME/.pcppass files?
>
> I’m not sure if I should be using the password with the AES prefix outside 
> of the pool_password file or not.  For example in the .pgpass and/or 
> .pcppass files.
>
> $ pg_enc -k ~/.pgpoolkey -u postgres -p
>
> db password:
>
> trying to read key from file /var/lib/pgsql/.pgpoolkey
>
> *P1+l8j3GaTxzSBgcY1laEQ==*
>
> pool_passwd string: *AESP1+l8j3GaTxzSBgcY1laEQ==*
>
> **
>
> My understanding (please correct me if I’m wrong), is that the pcp.conf 
> file must use md5 encryption regardless of what your password_encryption 
> in the DB is.
>

pcp is for managing PgPool.

> The pool_password file (when using scram-sha-256 encryption) requires the 
> string it gets automatically (which includes the AES prefix) by the pg_enc 
> command when providing the “-m” attribute.
>

pool_passwd is for accessing Postgresql databases. Their "user lists" are 
completely separate.  You can, for example, have user "blarge" in pcp.conf 
but not in pool_passwd (and by extension be a Postgresql role).
>
> However, I’ve not been able to find anything documented for the password 
> files.
>

What do you mean? https://www.pgpool.net/docs/43/en/html/auth-methods.html 
describes pool_passwd, and describes how to create MD5 and SHA256 hashes.

>   I’m pretty sure I’ve seen that if I were to use an encrypted password 
> (scram-sha-256) in the pgpool.conf file, it must include the AES prefix.
>

pg_enc does that for you.

> In my testing I find that if the password in ~/.pgpass includes the AES 
> prefix in the encrypted password, I get password authentication failed for 
> user “postgres” when the system tries to start a replication slot.
>

That needs more detail.

-- 
Born in Arizona, moved to Babylonia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20230329/6041b16c/attachment.htm>

More information about the pgpool-general mailing list