[pgpool-hackers: 3637] allow_clear_text_frontend_auth and pool_hba.conf
Tatsuo Ishii
ishii at sraoss.co.jp
Fri May 22 11:24:22 JST 2020
While taking care of this:
[pgpool-general: 7015] SSL authentication in Pgpool
I noticed that if clear text password is flying between client and
Pgpool-II, it will be more secure to accept only frontend using SSL
connection. To force SSL connections, pool_hba.conf can be used
(hostssl). However currently allow_clear_text_frontend_auth and
pool_hba.conf are not compatible. Looking into the code, I think just
removing "frontend->pool_hba == NULL" from following lines (there are
2 places same if-statement appear. One is MD5 and the aother is SCRAM)
makes it possible for allow_clear_text_frontend_auth and pool_hba.conf
be compatible.
if (frontend->pool_hba == NULL && pool_config->allow_clear_text_frontend_auth)
The only concern is, if allow_clear_text_frontend_auth is enabled,
auth methods including MD5, SCRAM specified in pool_hba.conf will be
ignored. Can we accept this?
Attached is the patch to implement above. Also I have downgraded following log messages:
ereport(LOG,
(errmsg("using clear text authentication with frontend"),
errdetail("backend will still use md5 auth"),
errhint("you can disable this behavior by setting allow_clear_text_frontend_auth to off"
because everytime frontend is authenticated, this log is emitted. It seems too much.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pool_auth.diff
Type: text/x-patch
Size: 1375 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200522/a5e6222a/attachment.bin>
More information about the pgpool-hackers
mailing list