[pgpool-hackers: 3340] Re: [pgpool-general: 6575] Re: Pgpool-II - PosgreSQL 9.5 MD5 Auth Issues

[Tatsuo Ishii]

> Hi Usama,
> 
> After answering this:
>> 2) you need to store the password for "pgpool" user as either "plain
>> text" or "AES256 encrypted" form (see
>> http://www.pgpool.net/docs/latest/en/html/auth-aes-encrypted-password.html
>> for more detail) into pool_password. "md5" form does not work in this
>> case. This is because you set sr_check_password to '' and expect
>> Pgpool-II to extract password from pool_password. If the password is
>> in md5, Pgpool-II cannot "unhash" the md5 passord to extract the raw
>> password string.
> 
> I start to thik that MD5 format password stored in pool_password
> cannot be used for sr_check_password is empty case is not essetial
> restriction but just a coding restriction.
> 
> 1. worker process needs to connect to backend.
> 2. it finds an entry for sr_check_user in pool_passwd.
> 3. the password is actually md5(password+username). let me denote it as "S".
> 4. worker process sends a start up packet to backend.
> 5. backend reply back with salt "s0".
> 6. worker process calculate md5(S+s0) and sent it to backend.
> 7. md5 auth succeeds.
> 
> Am I missing something?

Ok, attached is the patch to allow md5 password for
health_check_password and sr_check_password.

1) if health_check_password or sr_check_password is empty string ('')
   and there's a md5 password for the user in pool_password (in form
   of "md5..."), it will be used.

2) if health_check_password or sr_check_password is not empty string
   ('') and is in md5 password format, it will be used.

In summary with this patch, md5 password is not a "2nd citizen" any
more. It can be used as plain text password or AES256 encripted
password.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: md5auth.diff
Type: text/x-patch
Size: 2508 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20190602/6f65d7bc/attachment.bin>