[pgpool-hackers: 3660] Re: allow_clear_text_frontend_auth and pool_hba.conf

Muhammad Usama m.usama at gmail.com
Fri Jun 19 18:43:52 JST 2020 

On Mon, Jun 15, 2020 at 9:19 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> > Hi Ishii-San,
> >
> > On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> >
> >> While taking care of this:
> >> [pgpool-general: 7015] SSL authentication in Pgpool
> >>
> >> I noticed that if clear text password is flying between client and
> >> Pgpool-II, it will be more secure to accept only frontend using SSL
> >> connection. To force SSL connections, pool_hba.conf can be used
> >> (hostssl). However currently allow_clear_text_frontend_auth and
> >> pool_hba.conf are not compatible. Looking into the code, I think just
> >> removing "frontend->pool_hba == NULL" from following lines (there are
> >> 2 places same if-statement appear. One is MD5 and the aother is SCRAM)
> >> makes it possible for allow_clear_text_frontend_auth and pool_hba.conf
> >> be compatible.
> >>
> >>                         if (frontend->pool_hba == NULL &&
> >> pool_config->allow_clear_text_frontend_auth)
> >>
> >> The only concern is, if allow_clear_text_frontend_auth is enabled,
> >> auth methods including MD5, SCRAM specified in pool_hba.conf will be
> >> ignored.  Can we accept this?
> >>
> >
> > It is a tough choice as this will result, allow_clear_text_frontend_auth
> to
> > effectively
> > disable the pool_hba settings.
> >
> > How about if we add a new auth-options to the HBA line for that purpose?
> > For example:
> > host     postgres         all              192.168.12.10/32         md5
> >    allow_clear_text_auth=[on/off]
>
> I am not sure what you mean. For example,
>
> host     postgres         all              192.168.12.10/32         md5
> allow_clear_text_auth=on
>
> Will frontend be required to send a password in clear text or md5
> hashed? There's no way to do both.
>

What I mean to say is frontend must use the authentication method that is
specified
in the pool_hba (md5 in the case above example) as long as the pool_passwd
contains
the password for that connecting user.
But when the password for the user is not present in the pool_passwd file
then it should only
be allowed to use the clear text password when  allow_clear_text_auth=on is
set for that HBA entry.

Something like this

@@ -506,9 +506,9 @@ pool_do_auth(POOL_CONNECTION * frontend,
POOL_CONNECTION_POOL * cp)
* from client using plain text authentication if it is
* allowed by user
*/ -  if (frontend->pool_hba == NULL &&
pool_config->allow_clear_text_frontend_auth)
+  if (pool_config->allow_clear_text_frontend_auth &&
+       (frontend->pool_hba == NULL ||
frontend->pool_hba->allow_clear_text_auth)

What do you think will this work?

Thanks
Best regards
Muhammad Usama



> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200619/21ee27c4/attachment.html>

More information about the pgpool-hackers mailing list