[pgpool-hackers: 3843] Re: Dealing with GSSAPI

Tatsuo Ishii ishii at sraoss.co.jp
Sat Oct 3 08:08:10 JST 2020 

Hi Umar,

> Hi Ishii,
> I don't have any SSL setup for the database I am using. Last log I shared
> for fall back, only trust was used as fall back. I am not sure why we see
> SSLRequest in log (Could it be a bug?)

I think that's because your psql is built with SSL and psql (libpq)'s
default is "sslmode=prefer".

https://www.postgresql.org/docs/13/libpq-connect.html#LIBPQ-PARAMKEYWORDS
-------------------------------------------------------------------------
prefer (default)

    first try an SSL connection; if that fails, try a non-SSL connection
-------------------------------------------------------------------------

So if your psql is built without SSL, it will not send SSLRequest.
(or you can disable SSL request with something like: psql "sslmode=disable")

> I retested the fallback scenario with scram-sha-256 and the following is
> log, and it successfully used scram-sha-256 after gss fallback.

Looks good.
[snip]

> Let me know if more investigation is required.

Thank you! I confirmed my patch works. I am going to apply the patch.

> Regards
> Umar Hayat
> 
> On Fri, Oct 2, 2020 at 9:55 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> 
>> Hi Umar,
>>
>> > Hi Ishii,
>> > I didn't share the output earlier, where there is some other pg_hba entry
>> > available to fallback. It does fallback in that case. Please see psql
>> > output and log snippet below.
>>
>> Oh, ok thanks.  It seems the following output fallbacks to SSL
>> connection. Can you confirm it can also fallback to non-SSL
>> connection?
>>
>> > [umarhayat at localhost pgpool2]# psql -U
>> > "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
>> -p
>> > 9999
>> > psql (13.0)
>> > Type "help" for help.
>> >
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 1234 Minor: 5680
>> > database:  user:
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  selecting backend connection
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  GSSAPI request from client
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 1234 Minor: 5679
>> > database: � 0 user: � 0
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  selecting backend connection
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  SSLRequest from client
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  application_name: psql
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  reading startup packet
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  Protocol Major: 3 Minor: 0
>> > database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  creating new connection to
>> backend
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  connecting 0 backend
>> > 2020-10-01 07:33:06: pid 21199: DEBUG:  authentication backend
>> > 2020-10-01 07:33:06: pid 21199: DETAIL:  auth kind:0
>> >
>> > Regards
>> > Umar Hayat
>> >
>> >
>> > On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>> >
>> >> Hi Umar,
>> >>
>> >> I actually expected that psql connects to Pgpool-II without GSSAPI
>> >> auth (i.e. fallback to non-GSSAPI auth). In my understanding the
>> >> default behavior of psql does so because of gssencmode=prefer.  Can
>> >> you please enable pgpool debug log by log_min_messages=debug1 and show
>> >> the log?
>> >>
>> >> > Thank you!
>> >> >
>> >> >> Hi Ishii,
>> >> >>
>> >> >> I tested your patch and was not able to apply it, so I rebased it. I
>> >> tested
>> >> >> it on Pgpool 4.1 and it is working as expected.
>> >> >>
>> >> >> - GSSAPI Authentication direct to PG13
>> >> >> [umarhayat at localhost pgpool2]# psql -U
>> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
>> postgres
>> >> -p
>> >> >> 5432
>> >> >> psql (13.0)
>> >> >> GSSAPI-encrypted connection
>> >> >> Type "help" for help.
>> >> >>
>> >> >> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)
>> >> >> postgres=# \q
>> >> >> [umarhayat at localhost pgpool2]# psql -U
>> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
>> postgres
>> >> -p
>> >> >> 9999
>> >> >> psql: error: could not connect to server: server closed the
>> connection
>> >> >> unexpectedly
>> >> >> This probably means the server terminated abnormally
>> >> >> before or while processing the request.
>> >> >>
>> >> >> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)
>> >> >> [umarhayat at localhost pgpool2]# psql -U
>> >> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example
>> postgres
>> >> -p
>> >> >> 9999
>> >> >> psql: error: could not connect to server: ERROR:  failed to
>> authenticate
>> >> >> with backend
>> >> >> DETAIL:  unsupported auth kind received from backend: authkind:7
>> >> >>
>> >> >> Regards
>> >> >> Umar Hayat
>> >> >>
>> >> >> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <ishii at sraoss.co.jp>
>> >> wrote:
>> >> >>
>> >> >>> As you might already know, Pgpool-II currently does not support
>> >> >>> GSSAPI.  Until we support it, I think we need to tell frontend that
>> >> >>> Pgpool-II does not support GSSAPI when frontend requests it.
>> Otherwise
>> >> >>> frontend will have a confusing message from Pgpool-II.
>> >> >>>
>> >> >>>
>> >>
>> https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html
>> >> >>>
>> >> >>> Attached patch should do it. I don't have GSSAPI enabled frontend
>> and
>> >> >>> I cannot test it. I would appreciate if someone tests it out.
>> >> >>>
>> >> >>> Best regards,
>> >> >>> --
>> >> >>> Tatsuo Ishii
>> >> >>> SRA OSS, Inc. Japan
>> >> >>> English: http://www.sraoss.co.jp/index_en.php
>> >> >>> Japanese:http://www.sraoss.co.jp
>> >> >>> _______________________________________________
>> >> >>> pgpool-hackers mailing list
>> >> >>> pgpool-hackers at pgpool.net
>> >> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>> >> >>>
>> >> > _______________________________________________
>> >> > pgpool-hackers mailing list
>> >> > pgpool-hackers at pgpool.net
>> >> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>> >>
>>

More information about the pgpool-hackers mailing list