<div dir="ltr"><div>Hi Ishii-San,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">While taking care of this:<br>
[pgpool-general: 7015] SSL authentication in Pgpool<br>
<br>
I noticed that if clear text password is flying between client and<br>
Pgpool-II, it will be more secure to accept only frontend using SSL<br>
connection. To force SSL connections, pool_hba.conf can be used<br>
(hostssl). However currently allow_clear_text_frontend_auth and<br>
pool_hba.conf are not compatible. Looking into the code, I think just<br>
removing "frontend->pool_hba == NULL" from following lines (there are<br>
2 places same if-statement appear. One is MD5 and the aother is SCRAM)<br>
makes it possible for allow_clear_text_frontend_auth and pool_hba.conf<br>
be compatible.<br>
<br>
if (frontend->pool_hba == NULL && pool_config->allow_clear_text_frontend_auth)<br>
<br>
The only concern is, if allow_clear_text_frontend_auth is enabled,<br>
auth methods including MD5, SCRAM specified in pool_hba.conf will be<br>
ignored. Can we accept this?<br></blockquote><div><br></div><div>It is a tough choice as this will result, allow_clear_text_frontend_auth to effectively</div><div>disable the pool_hba settings.</div><div><br></div><div>How about if we add a new auth-options to the HBA line for that purpose?</div><div>For example:</div><div>host postgres all <a href="http://192.168.12.10/32">192.168.12.10/32</a> md5 allow_clear_text_auth=[on/off]<br></div><div><br></div><div>Thanks</div><div>Best regards</div><div>Muhammad Usama</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Attached is the patch to implement above. Also I have downgraded following log messages:<br>
<br>
ereport(LOG,<br>
(errmsg("using clear text authentication with frontend"),<br>
errdetail("backend will still use md5 auth"),<br>
errhint("you can disable this behavior by setting allow_clear_text_frontend_auth to off"<br>
<br>
because everytime frontend is authenticated, this log is emitted. It seems too much.<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
_______________________________________________<br>
pgpool-hackers mailing list<br>
<a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
<a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
</blockquote></div></div>