[pgpool-hackers: 3842] Re: Dealing with GSSAPI

Sat Oct 3 01:27:06 JST 2020

Hi Ishii,
I don't have any SSL setup for the database I am using. Last log I shared
for fall back, only trust was used as fall back. I am not sure why we see
SSLRequest in log (Could it be a bug?)

I retested the fallback scenario with scram-sha-256 and the following is
log, and it successfully used scram-sha-256 after gss fallback.

psql- output:
[umarhayat at myrealm pgpool2]# psql -U
"postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
9999
Password for user postgres/myrealm.example at MYREALM.EXAMPLE:
psql (13.0)
Type "help" for help.

pgpool log:
2020-10-02 12:16:34: pid 35644: DEBUG:  selecting backend connection
2020-10-02 12:16:34: pid 35644: DETAIL:  GSSAPI request from client
2020-10-02 12:16:34: pid 35644: DEBUG:  reading startup packet
2020-10-02 12:16:34: pid 35644: DETAIL:  Protocol Major: 1234 Minor: 5679
database: � 0 user: � 0
2020-10-02 12:16:34: pid 35644: DEBUG:  selecting backend connection
2020-10-02 12:16:34: pid 35644: DETAIL:  SSLRequest from client
2020-10-02 12:16:34: pid 35644: DEBUG:  reading startup packet
2020-10-02 12:16:34: pid 35644: DETAIL:  application_name: psql
2020-10-02 12:16:34: pid 35644: DEBUG:  reading startup packet
2020-10-02 12:16:34: pid 35644: DETAIL:  Protocol Major: 3 Minor: 0
database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
2020-10-02 12:16:34: pid 35644: DEBUG:  creating new connection to backend
2020-10-02 12:16:34: pid 35644: DETAIL:  connecting 0 backend
2020-10-02 12:16:34: pid 35644: DEBUG:  authentication backend
2020-10-02 12:16:34: pid 35644: DETAIL:  auth kind:10
2020-10-02 12:16:34: pid 35644: DEBUG:  authentication backend 0
2020-10-02 12:16:34: pid 35644: DETAIL:  trying SCRAM authentication
2020-10-02 12:16:38: pid 35669: DEBUG:  I am 35669 accept fd 7
2020-10-02 12:16:38: pid 35669: DEBUG:  reading startup packet
2020-10-02 12:16:38: pid 35669: DETAIL:  Protocol Major: 1234 Minor: 5680
database:  user:
2020-10-02 12:16:38: pid 35669: DEBUG:  selecting backend connection
2020-10-02 12:16:38: pid 35669: DETAIL:  GSSAPI request from client
2020-10-02 12:16:38: pid 35669: DEBUG:  reading startup packet
2020-10-02 12:16:38: pid 35669: DETAIL:  Protocol Major: 1234 Minor: 5679
database: � 0 user: � 0
2020-10-02 12:16:38: pid 35669: DEBUG:  selecting backend connection
2020-10-02 12:16:38: pid 35669: DETAIL:  SSLRequest from client
2020-10-02 12:16:38: pid 35669: DEBUG:  reading startup packet
2020-10-02 12:16:38: pid 35669: DETAIL:  application_name: psql
2020-10-02 12:16:38: pid 35669: DEBUG:  reading startup packet
2020-10-02 12:16:38: pid 35669: DETAIL:  Protocol Major: 3 Minor: 0
database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
2020-10-02 12:16:38: pid 35669: DEBUG:  creating new connection to backend
2020-10-02 12:16:38: pid 35669: DETAIL:  connecting 0 backend
2020-10-02 12:16:38: pid 35669: DEBUG:  authentication backend
2020-10-02 12:16:38: pid 35669: DETAIL:  auth kind:10
2020-10-02 12:16:38: pid 35669: DEBUG:  authentication backend 0
2020-10-02 12:16:38: pid 35669: DETAIL:  trying SCRAM authentication
2020-10-02 12:16:38: pid 35669: DEBUG:  SCRAM authentication successful for
backend 0

pg_hba:
host    all             all             127.0.0.1/32
 scram-sha-256
host all postgres/myrealm.example at MYREALM.EXAMPLE  0.0.0.0/0 gss
include_realm=1 krb_realm=MYREALM.EXAMPLE

Let me know if more investigation is required.

Regards
Umar Hayat

On Fri, Oct 2, 2020 at 9:55 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> Hi Umar,
>
> > Hi Ishii,
> > I didn't share the output earlier, where there is some other pg_hba entry
> > available to fallback. It does fallback in that case. Please see psql
> > output and log snippet below.
>
> Oh, ok thanks.  It seems the following output fallbacks to SSL
> connection. Can you confirm it can also fallback to non-SSL
> connection?
>
> > [umarhayat at localhost pgpool2]# psql -U
> > "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
> -p
> > 9999
> > psql (13.0)
> > Type "help" for help.
> >
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 1234 Minor: 5680
> > database:  user:
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  selecting backend connection
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  GSSAPI request from client
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 1234 Minor: 5679
> > database: � 0 user: � 0
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  selecting backend connection
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  SSLRequest from client
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  application_name: psql
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 3 Minor: 0
> > database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  creating new connection to
> backend
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  connecting 0 backend
> > 2020-10-01 07:33:06: pid 21199: DEBUG:  authentication backend
> > 2020-10-01 07:33:06: pid 21199: DETAIL:  auth kind:0
> >
> > Regards
> > Umar Hayat
> >
> >
> > On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> >
> >> Hi Umar,
> >>
> >> I actually expected that psql connects to Pgpool-II without GSSAPI
> >> auth (i.e. fallback to non-GSSAPI auth). In my understanding the
> >> default behavior of psql does so because of gssencmode=prefer.  Can
> >> you please enable pgpool debug log by log_min_messages=debug1 and show
> >> the log?
> >>
> >> > Thank you!
> >> >
> >> >> Hi Ishii,
> >> >>
> >> >> I tested your patch and was not able to apply it, so I rebased it. I
> >> tested
> >> >> it on Pgpool 4.1 and it is working as expected.
> >> >>
> >> >> - GSSAPI Authentication direct to PG13
> >> >> [umarhayat at localhost pgpool2]# psql -U
> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
> postgres
> >> -p
> >> >> 5432
> >> >> psql (13.0)
> >> >> GSSAPI-encrypted connection
> >> >> Type "help" for help.
> >> >>
> >> >> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)
> >> >> postgres=# \q
> >> >> [umarhayat at localhost pgpool2]# psql -U
> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
> postgres
> >> -p
> >> >> 9999
> >> >> psql: error: could not connect to server: server closed the
> connection
> >> >> unexpectedly
> >> >> This probably means the server terminated abnormally
> >> >> before or while processing the request.
> >> >>
> >> >> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)
> >> >> [umarhayat at localhost pgpool2]# psql -U
> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
> postgres
> >> -p
> >> >> 9999
> >> >> psql: error: could not connect to server: ERROR:  failed to
> authenticate
> >> >> with backend
> >> >> DETAIL:  unsupported auth kind received from backend: authkind:7
> >> >>
> >> >> Regards
> >> >> Umar Hayat
> >> >>
> >> >> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <ishii at sraoss.co.jp>
> >> wrote:
> >> >>
> >> >>> As you might already know, Pgpool-II currently does not support
> >> >>> GSSAPI.  Until we support it, I think we need to tell frontend that
> >> >>> Pgpool-II does not support GSSAPI when frontend requests it.
> Otherwise
> >> >>> frontend will have a confusing message from Pgpool-II.
> >> >>>
> >> >>>
> >>
> https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html
> >> >>>
> >> >>> Attached patch should do it. I don't have GSSAPI enabled frontend
> and
> >> >>> I cannot test it. I would appreciate if someone tests it out.
> >> >>>
> >> >>> Best regards,
> >> >>> --
> >> >>> Tatsuo Ishii
> >> >>> SRA OSS, Inc. Japan
> >> >>> English: http://www.sraoss.co.jp/index_en.php
> >> >>> Japanese:http://www.sraoss.co.jp
> >> >>> _______________________________________________
> >> >>> pgpool-hackers mailing list
> >> >>> pgpool-hackers at pgpool.net
> >> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >> >>>
> >> > _______________________________________________
> >> > pgpool-hackers mailing list
> >> > pgpool-hackers at pgpool.net
> >> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20201002/f15b6c10/attachment-0001.html>