[pgpool-hackers: 3341] Re: [pgpool-general: 6575] Re: Pgpool-II - PosgreSQL 9.5 MD5 Auth Issues

Tatsuo Ishii ishii at sraoss.co.jp
Wed Jun 5 11:50:26 JST 2019 

And diff for documents.

From: Tatsuo Ishii <ishii at sraoss.co.jp>
Subject: [pgpool-hackers: 3340] Re: [pgpool-general: 6575] Re: Pgpool-II - PosgreSQL 9.5 MD5 Auth Issues
Date: Sun, 02 Jun 2019 16:28:14 +0900 (JST)
Message-ID: <20190602.162814.1161198732348420027.t-ishii at sraoss.co.jp>

>> Hi Usama,
>> 
>> After answering this:
>>> 2) you need to store the password for "pgpool" user as either "plain
>>> text" or "AES256 encrypted" form (see
>>> http://www.pgpool.net/docs/latest/en/html/auth-aes-encrypted-password.html
>>> for more detail) into pool_password. "md5" form does not work in this
>>> case. This is because you set sr_check_password to '' and expect
>>> Pgpool-II to extract password from pool_password. If the password is
>>> in md5, Pgpool-II cannot "unhash" the md5 passord to extract the raw
>>> password string.
>> 
>> I start to thik that MD5 format password stored in pool_password
>> cannot be used for sr_check_password is empty case is not essetial
>> restriction but just a coding restriction.
>> 
>> 1. worker process needs to connect to backend.
>> 2. it finds an entry for sr_check_user in pool_passwd.
>> 3. the password is actually md5(password+username). let me denote it as "S".
>> 4. worker process sends a start up packet to backend.
>> 5. backend reply back with salt "s0".
>> 6. worker process calculate md5(S+s0) and sent it to backend.
>> 7. md5 auth succeeds.
>> 
>> Am I missing something?
> 
> Ok, attached is the patch to allow md5 password for
> health_check_password and sr_check_password.
> 
> 1) if health_check_password or sr_check_password is empty string ('')
>    and there's a md5 password for the user in pool_password (in form
>    of "md5..."), it will be used.
> 
> 2) if health_check_password or sr_check_password is not empty string
>    ('') and is in md5 password format, it will be used.
> 
> In summary with this patch, md5 password is not a "2nd citizen" any
> more. It can be used as plain text password or AES256 encripted
> password.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: md5auth-doc.diff
Type: text/x-patch
Size: 7458 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20190605/feac8c1e/attachment.bin>

More information about the pgpool-hackers mailing list