<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 15, 2020 at 9:19 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> Hi Ishii-San,<br>
> <br>
> On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>> wrote:<br>
> <br>
>> While taking care of this:<br>
>> [pgpool-general: 7015] SSL authentication in Pgpool<br>
>><br>
>> I noticed that if clear text password is flying between client and<br>
>> Pgpool-II, it will be more secure to accept only frontend using SSL<br>
>> connection. To force SSL connections, pool_hba.conf can be used<br>
>> (hostssl). However currently allow_clear_text_frontend_auth and<br>
>> pool_hba.conf are not compatible. Looking into the code, I think just<br>
>> removing "frontend->pool_hba == NULL" from following lines (there are<br>
>> 2 places same if-statement appear. One is MD5 and the aother is SCRAM)<br>
>> makes it possible for allow_clear_text_frontend_auth and pool_hba.conf<br>
>> be compatible.<br>
>><br>
>> if (frontend->pool_hba == NULL &&<br>
>> pool_config->allow_clear_text_frontend_auth)<br>
>><br>
>> The only concern is, if allow_clear_text_frontend_auth is enabled,<br>
>> auth methods including MD5, SCRAM specified in pool_hba.conf will be<br>
>> ignored. Can we accept this?<br>
>><br>
> <br>
> It is a tough choice as this will result, allow_clear_text_frontend_auth to<br>
> effectively<br>
> disable the pool_hba settings.<br>
> <br>
> How about if we add a new auth-options to the HBA line for that purpose?<br>
> For example:<br>
> host postgres all <a href="http://192.168.12.10/32" rel="noreferrer" target="_blank">192.168.12.10/32</a> md5<br>
> allow_clear_text_auth=[on/off]<br>
<br>
I am not sure what you mean. For example,<br>
<br>
host postgres all <a href="http://192.168.12.10/32" rel="noreferrer" target="_blank">192.168.12.10/32</a> md5 allow_clear_text_auth=on<br>
<br>
Will frontend be required to send a password in clear text or md5<br>
hashed? There's no way to do both.<br></blockquote><div><br></div><div>What I mean to say is frontend must use the authentication method that is specified</div><div>in the pool_hba (md5 in the case above example) as long as the pool_passwd contains</div><div>the password for that connecting user.</div><div>But when the password for the user is not present in the pool_passwd file then it should only</div><div>be allowed to use the clear text password when <font face="monospace">allow_clear_text_auth=on</font> is set for that HBA entry.</div><div><br></div><div>Something like this</div><div><br></div><font face="monospace">@@ -506,9 +506,9 @@ pool_do_auth(POOL_CONNECTION * frontend, POOL_CONNECTION_POOL * cp)<br>* from client using plain text authentication if it is<br>* allowed by user<br>*/ - if (frontend->pool_hba == NULL && pool_config->allow_clear_text_frontend_auth)<br>+ if (pool_config->allow_clear_text_frontend_auth && <br>+ (frontend->pool_hba == NULL || frontend->pool_hba->allow_clear_text_auth)</font></div><div class="gmail_quote"><font face="monospace"><br></font></div><div class="gmail_quote"><font face="arial, sans-serif">What do you think will this work?</font></div><div class="gmail_quote"><font face="arial, sans-serif"><br></font></div><div class="gmail_quote"><font face="arial, sans-serif">Thanks</font></div><div class="gmail_quote"><font face="arial, sans-serif">Best regards</font></div><div class="gmail_quote"><font face="arial, sans-serif">Muhammad Usama</font></div><div class="gmail_quote"><font face="arial, sans-serif"><br></font></div><div class="gmail_quote"><font face="monospace"><br></font><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
</blockquote></div></div>