[pgpool-hackers: 3646] Re: allow_clear_text_frontend_auth and pool_hba.conf

Muhammad Usama m.usama at gmail.com
Thu Jun 11 21:17:42 JST 2020 

Hi Ishii-San,

On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> While taking care of this:
> [pgpool-general: 7015] SSL authentication in Pgpool
>
> I noticed that if clear text password is flying between client and
> Pgpool-II, it will be more secure to accept only frontend using SSL
> connection. To force SSL connections, pool_hba.conf can be used
> (hostssl). However currently allow_clear_text_frontend_auth and
> pool_hba.conf are not compatible. Looking into the code, I think just
> removing "frontend->pool_hba == NULL" from following lines (there are
> 2 places same if-statement appear. One is MD5 and the aother is SCRAM)
> makes it possible for allow_clear_text_frontend_auth and pool_hba.conf
> be compatible.
>
>                         if (frontend->pool_hba == NULL &&
> pool_config->allow_clear_text_frontend_auth)
>
> The only concern is, if allow_clear_text_frontend_auth is enabled,
> auth methods including MD5, SCRAM specified in pool_hba.conf will be
> ignored.  Can we accept this?
>

It is a tough choice as this will result, allow_clear_text_frontend_auth to
effectively
disable the pool_hba settings.

How about if we add a new auth-options to the HBA line for that purpose?
For example:
host     postgres         all              192.168.12.10/32         md5
   allow_clear_text_auth=[on/off]

Thanks
Best regards
Muhammad Usama


> Attached is the patch to implement above. Also I have downgraded following
> log messages:
>
>         ereport(LOG,
>                 (errmsg("using clear text authentication with frontend"),
>                  errdetail("backend will still use md5 auth"),
>                  errhint("you can disable this behavior by setting
> allow_clear_text_frontend_auth to off"
>
> because everytime frontend is authenticated, this log is emitted. It seems
> too much.
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
> _______________________________________________
> pgpool-hackers mailing list
> pgpool-hackers at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200611/e18820c1/attachment.html>

More information about the pgpool-hackers mailing list