[pgpool-hackers: 3120] Authetication broken in Pgpool-II 4.0?

Tatsuo Ishii ishii at sraoss.co.jp
Thu Nov 15 10:55:35 JST 2018

Hi Usama,

If we want sr_check or health_check authenticated against PostgreSQL
with md5, it seems it's not working anymore in 4.0 or later. I mean:

- health_check_password and/or sr_check_password are correctly set (in
  clear text or AES does not matter).

- auth method specified for health_check_user and/or sr_check_user in pg_hba.conf is md5.

- password for health_check_user and/or sr_check_user are encrypted in md5 in pg_shadow.

This works fine in 3.7 or before. So I guess there's something wrong
in 4.0's md5 auth routine.

Since default auth method in PostgreSQL 10 or 11 are still md5, this
could happen frequently if user does not change "password_encryption"
in postgresql.conf (it's still md5).

In fact we see multiple complains from users.
Typical symptom of this issue is something like:

DEBUG: do_query: extended:0 query:"SELECT pg_is_in_recovery()"
LOG: get_query_result: no rows returned

Actually what happens here in PostgreSQL side at this point is:

9716 2018-11-15 10:04:15 JST LOG:  statement: SELECT pg_is_in_recovery()
9716 2018-11-15 10:04:15 JST LOG:  could not send data to client: Broken pipe

I think we need to fix this as soon as possible. Can you please look into this?

Best regards,
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php

More information about the pgpool-hackers mailing list