[pgpool-general: 9442] Re: scram-sha-256 Authentication
Sbob
sbob at quadratum-braccas.com
Mon Apr 28 23:12:01 JST 2025
On 4/28/25 1:15 AM, Tatsuo Ishii wrote:
>> All;
>>
>> I have setup authentication where I have an md5 line in the
>> pool_hba.conf file for a user and I have an md5 password entry for the
>> user in the pool_passwd file, and the backend db is using
>> scram_sha_256
>>
>> I would like to setup the pool users to use scram sha 256 as well. I
>> see in the docs that I should use pg_enc to create the entry in the
>> pool_passwd file, however pg_enc is complaining about a key file.
>>
>> I do not understand where I should put the keyfile and what I should
>> put in the keyfile.
>>
>> I assume that AES is the same as scram sha 256?
> No. They are totally different things. scram-sha-256 is a protocol
> between client and pgpool. AES(256) is a encryption algorythm and here
> we use it for encrypting password in pool_passwd.
>
>> I see this in the docs:
>>
>> If you have AES encrypted passwords stored in the pool_passwd
>> <https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-POOL-PASSWD>
>> file, then Pgpool-II will require the decryption key to decrypt the
>> passwords before using them, Pgpool-II tries to read the decryption
>> key at startup from the .pgpoolkey file. .pgpoolkey is a plain text
>> file which contains the decryption key string.
>>
>> By default the Pgpool-II will look for the .pgpoolkey file in the
>> user's home directory or the file referenced by environment variable
>> PGPOOLKEYFILE. You can also specify the key file using the (-k,
>> --key-file=KEY_FILE) command line argument to the pgpool
>> <https://www.pgpool.net/docs/latest/en/html/pgpool.html> command. The
>> permissions on .pgpoolkey must disallow any access to world or
>> group. Change the file permissions by the command chmod 0600
>> ~/.pgpoolkey.
>>
>>
>> but I am still un-sure what I put in the keyfile
> When decrypting the encrypted password in pool_passwd, you need the
> encryption key, which is an arbitary string. It's like a password. The
> encryption key must be something hard to guess by someone else. Once
> you think of such a string, you can store it in the .pgpoolkey file
> (or other file as the doc suggests). For example,
>
> echo "the_secret_string" > ~/.pgpoolkey
> chmod 600 ~/.pgpoolkey
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
Perfect! Thank you
More information about the pgpool-general
mailing list