[pgpool-hackers: 3664] Re: allow_clear_text_frontend_auth and pool_hba.conf

Tatsuo Ishii ishii at sraoss.co.jp
Sat Jun 20 19:34:40 JST 2020 

> On Mon, Jun 15, 2020 at 9:19 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> 
>> > Hi Ishii-San,
>> >
>> > On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>> >
>> >> While taking care of this:
>> >> [pgpool-general: 7015] SSL authentication in Pgpool
>> >>
>> >> I noticed that if clear text password is flying between client and
>> >> Pgpool-II, it will be more secure to accept only frontend using SSL
>> >> connection. To force SSL connections, pool_hba.conf can be used
>> >> (hostssl). However currently allow_clear_text_frontend_auth and
>> >> pool_hba.conf are not compatible. Looking into the code, I think just
>> >> removing "frontend->pool_hba == NULL" from following lines (there are
>> >> 2 places same if-statement appear. One is MD5 and the aother is SCRAM)
>> >> makes it possible for allow_clear_text_frontend_auth and pool_hba.conf
>> >> be compatible.
>> >>
>> >>                         if (frontend->pool_hba == NULL &&
>> >> pool_config->allow_clear_text_frontend_auth)
>> >>
>> >> The only concern is, if allow_clear_text_frontend_auth is enabled,
>> >> auth methods including MD5, SCRAM specified in pool_hba.conf will be
>> >> ignored.  Can we accept this?
>> >>
>> >
>> > It is a tough choice as this will result, allow_clear_text_frontend_auth
>> to
>> > effectively
>> > disable the pool_hba settings.
>> >
>> > How about if we add a new auth-options to the HBA line for that purpose?
>> > For example:
>> > host     postgres         all              192.168.12.10/32         md5
>> >    allow_clear_text_auth=[on/off]
>>
>> I am not sure what you mean. For example,
>>
>> host     postgres         all              192.168.12.10/32         md5
>> allow_clear_text_auth=on
>>
>> Will frontend be required to send a password in clear text or md5
>> hashed? There's no way to do both.
>>
> 
> What I mean to say is frontend must use the authentication method that is
> specified
> in the pool_hba (md5 in the case above example) as long as the pool_passwd
> contains
> the password for that connecting user.
> But when the password for the user is not present in the pool_passwd file
> then it should only
> be allowed to use the clear text password when  allow_clear_text_auth=on is
> set for that HBA entry.
> 
> Something like this
> 
> @@ -506,9 +506,9 @@ pool_do_auth(POOL_CONNECTION * frontend,
> POOL_CONNECTION_POOL * cp)
> * from client using plain text authentication if it is
> * allowed by user
> */ -  if (frontend->pool_hba == NULL &&
> pool_config->allow_clear_text_frontend_auth)
> +  if (pool_config->allow_clear_text_frontend_auth &&
> +       (frontend->pool_hba == NULL ||
> frontend->pool_hba->allow_clear_text_auth)
> 
> What do you think will this work?

Sorry, I did not realize that to force SSL connection with clear text
password, we can just use auth method "password" in pool_hba.conf with
"hostssl". e.g.

hostssl	all	    foo		127.0.0.1/32          password

Sorry for noise.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

More information about the pgpool-hackers mailing list