[pgpool-hackers: 2876] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Mon Jul 23 11:13:17 JST 2018 

Usama,

Thank you for the updation!

Here are some commnets.

1) There are some traling space additions in the patch.

t-ishii at localhost: git apply ~/scram_auth_feature_patch.diff 
/home/t-ishii/scram_auth_feature_patch.diff:1692: trailing whitespace.
	
/home/t-ishii/scram_auth_feature_patch.diff:1696: trailing whitespace.
	
/home/t-ishii/scram_auth_feature_patch.diff:1702: trailing whitespace.
	
/home/t-ishii/scram_auth_feature_patch.diff:1709: trailing whitespace.
	
/home/t-ishii/scram_auth_feature_patch.diff:2792: trailing whitespace.
	
warning: squelched 87 whitespace errors
warning: 92 lines add whitespace errors.

2) Design suggesions

> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is not
> enabled in pgpool.conf
> 
> 
> For example: suppose PostgreSQL servers has a user named "*some_user*"
> which can connect to database using SCRAM authentication, Now for this
> "some_user" to connect to PostgreSQL using SCRAM through Pgpool-II we must
> have the *some_user*'s password stored in the pool_passwd file, but if in
> some case when pool_passwd does not have the entry of "*some_user*" and
> *allow_clear_text_frontend_auth *is enabled in the pgpool.conf then
> Pgpool-II will ask the connecting frontend to use clear-text-password auth
> method for authentication, and after receiving the password from the
> client, Pgpool-II will use that password to authenticate with backend using
> the required SCRAM auth.

Why do we need "allow_clear_text_frontend_auth"? Rather, can't we set
"password" in the pool_hba.conf auth method for a user who is allow to
connect to pgpool with clear text password? This way is more flexible
since at the same we can force different user MD5 and/or SCRAM auth.

4) Migration of pool_passwd

If user have large number of entries in pool_passwd, migrating to new
pool_passwd using AES encryption is pain. Is there any way to migate
the pain?

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

> Hi All,
> 
> 
> I have been working on supporting the new authentication methods in
> Pgpool-II, So here is the working patch for supporting the SCRAM and CERT
> based authentication methods.
> 
> The patch needs a some compilation warning fixes and little bit of review
> of memory management and code cleanups (which I am working on) but other
> than that it is ready for review testing.
> 
> The code is also checked-in to SCRAM_AUTH branch in Pgpool's git repo
> 
> 
> Below is the brief overview of changes made by the patch and how to use the
> newly added auth methods.
> 
> 
> *Allow different auth methods for frontend and backend for user session:*
> 
> The patch made it possible to use different authentication methods between
> client to Pgpool-II and Pgpool-II to backend.
> 
> For example: now we can use clear-text-password authentication between
> Pgpool-II and frontend applications while md5 or scram auth method to
> authenticate the backend connections for same session. Similarly the
> frontend can now be authenticated using the ssl certificate (CERT auth)
> while for backend we can use md5 or scram for the same session.
> 
> 
> *Able to use MD5 and SCRAM auth methods without pool_passwd:*
> 
> The patch adds a new configuration parameter
> *allow_clear_text_frontend_auth*, enabling this config allows the Pgpool-II
> to use clear-text-password authentication with frontend clients when
> pool_passwd file does not contains the password for the connecting user,
> and use that password (provided by client) to authenticate with the backend
> using MD5 and/or SCRAM authentication.
> 
> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is not
> enabled in pgpool.conf
> 
> 
> For example: suppose PostgreSQL servers has a user named "*some_user*"
> which can connect to database using SCRAM authentication, Now for this
> "some_user" to connect to PostgreSQL using SCRAM through Pgpool-II we must
> have the *some_user*'s password stored in the pool_passwd file, but if in
> some case when pool_passwd does not have the entry of "*some_user*" and
> *allow_clear_text_frontend_auth *is enabled in the pgpool.conf then
> Pgpool-II will ask the connecting frontend to use clear-text-password auth
> method for authentication, and after receiving the password from the
> client, Pgpool-II will use that password to authenticate with backend using
> the required SCRAM auth.
> 
> *Creating encrypted passwords:*
> 
> The patch adds a new utility *pg_enc* to create AES encrypted password
> entries. The utility works similar in most ways as pg_md5 utility, with a
> some small differences,
> 
> pg_enc also requires the key for encrypting the password entries. later
> that same key is required by Pgpool-II to decrypt the passwords to be used
> for authentication.
> 
> Note: Pgpool-II must be build with ssl (--with-openssl) support to use this
> encrypted password feature.
> 
> *Storing the encrypted password in pool_passwd file*
> 
> Since the SCRAM authentication method explicitly guards against the
> man-in-middle type attack so Pgpool-II can only use SCRAM auth method if it
> has the user password (or *allow_clear_text_frontend_auth *is enabled). But
> storing the clear text password in a file is never a good idea, so for that
> reason pool_passwd file now allows to store user password in AES-256
> encrypted format
> 
> for example:
> 
> some_user:AESWJPIi/R2QJS4cHKTAtjATw==
> 
> 
> Note: database passwords are encrypted using AES 256 encryption and then
> encoded into base64 for storing in pool_passwd file, AES prefix is added to
> the encoded password strings after encryption+encoding for identification.
> 
> 
> *Ways to provide encryption key to pg_enc utility*
> 
> There are multiple ways to provide encryption key to pgenc utility.
> 
> 1- using stdin ( -P, --prompt-for-key)
> 
> 2- using command line argument (-K, --enc-key=ENCRYPTION_KEY)
> 
> 3- using key file (-k, --key-file=KEY_FILE)
> 
>    by default the pg_enc looks for the key in home/.pgpoolkey file
> 
>    and the default location can be over ridden by PGPOOLKEYFILE
> 
>    environment variable
> 
> 
> Try  pg_enc --help  for more details
> 
> 
> *Providing encryption key to Pgpool-II*
> 
> Pgpool-II reads the encryption key from *pgpoolkey* file, the path to the
> key file can be specified using the new (-k, --key-file=KEY_FILE) command
> line argument, if the argument is not provided, Pgpool-II will try to look
> for the key file in user's home directory.
> 
> If you do not want to use the key file at default location and also do not
> want to specify the location in command line argument you can also specify
> the poolkey file in *PGPOOLKEYFILE* environment variable.
> 
> 
> If encryption key is not provided to Pgpool-II or the wrong encryption key
> is provided the encrypted password entries in pool_passwd becomes unusable.
> 
> 
> *AES encrypted password entries can also be used for md5 auth method*
> 
> Previously only way to use md5 authentication method was to add md5 encoded
> password to the pool_passwd file for the user. now with this
> 
> patch md5 authentication system in Pgpool-II can also use the AES encrypted
> passwords.
> 
> So same AES encrypted password can be used for SCRAM, clear-text and md5
> authentications.
> 
> 
> *Using CERT authentication between Pgpool-II and frontend*
> 
> To use the cert authentication between Pgpool-II and frontend configure the
> following ssl configurations in pgpool.conf
> 
> ssl_key = '/server.key'
> 
> ssl_cert = 'server.crt'
> 
> ssl_ca_cert = 'root.crt'
> Note: You must use the same ssl certificates in Pgpool-II that are used by
> backend PostgreSQL server.
> 
> Now configure pool_hba.conf to use cert ( in this example we want
> PostgreSQL user named cert_user to use cert auth)
> 
> 
> *hostssl    all         cert_user         0/0     cert*
> 
> 
> This will enable the cert authentication between pgpool and frontend
> clients. After this cert_user will only be able to connect to Pgpool-II
> when it will present the valid ssl client certificate with the certificate
> having the common name  same as the database user name (cert_user in this
> case)
> 
> 
> You can use any other auth method for same cert_user in backend.
> 
> I will also share the detailed step by step guide for using the cert
> authentication later.
> 
> 
> *Example test case for SCRAM authentication:*
> 
> 
> 1-- create user in PostgreSQL with SCRAM type password
> 
> 
> SET password_encryption = 'scram-sha-256';
> 
> CREATE ROLE scram_user PASSWORD 'scram_password';
> 
> ALTER ROLE scram_user WITH LOGIN;
> 
> 
> 2-- create the encryption key file in home directory
> 
> 
> echo poolencryptionkey >> ~/.pgpoolkey
> 
> 
> 3-- create the pool_passwd entry for scram_user
> 
> 
> pg_enc -m -f pgpool.conf -u sceam_user scram_password
> 
> 
> 4-- adjust pg_hba.conf to use scram for scram_user
> 
> 
> host      all   scram_user     0/0    scram-sha-256
> 
> 
> 5-- configure pool_hba.conf to use scram for scram_user
> 
> 
> host    all         scram_user         0/0     scram-sha-256
> 
> 
> 6-- restart postgresql and run pgpool
> 
> 
> 7-- connect through pgpool using scram user
> 
> 
> psql -h 127.0.0.1 -U scram_user -p 9999 postgres
> 
> 
> 
> *Regression test cases*
> 
> Patch also contains following three regression test cases, You can have a
> look into those get a idea.
> 
> 020.allow_clear_text_frontend_auth
> 
> 021.pool_passwd_auth
> 
> 022.pool_passwd_alternative_auth
> 
> 
> 
> Comments and suggestions are most welcome.
> 
> 
> Thanks
> 
> Best Regards
> 
> Muhammad Usama

More information about the pgpool-hackers mailing list