View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000196Pgpool-IIBugpublic2016-05-12 11:492016-07-12 14:07
Reporterzathey Assigned Tot-ishii  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionopen 
PlatformLinuxOSCentOSOS Version7
Summary0000196: md5 authentication is broken
DescriptionIf `pool_passwd` does not contain the user trying to connect, it will prevent access.
```
$ ./psql -h 192.168.99.100 -p 9999 -U postgres
psql: FATAL: md5 authentication failed
DETAIL: pool_passwd file does not contain an entry for "postgres"
FATAL: md5 authentication failed
DETAIL: pool_passwd file does not contain an entry for "postgres"
```

If `pool_passwd` contains any hash, even if it does not match the password for the user on Postgres, it will allow access. It appears that pgpool is not checking the password given against the md5 hash in `pool_passwd`.
```
$ ./psql -h 192.168.99.100 -p 9999 -U postgres -W
Password for user postgres:
psql (9.4.5, server 9.2.15)
SSL connection (protocol: TLSv1, cipher: AES256-SHA, bits: 256, compression: off)
Type "help" for help.

postgres=#
```
Steps To ReproduceConfigure pool_hba.conf
```
local all all trust
host all all 0.0.0.0/0 md5
```

Add your Postgres username to pool_passwd with a hash that does NOT match the password set on Postgres.

Connect to pgpool using the password set on Postgres, not the password in pool_passwd, and it will allow access.
Additional InformationThis can create a huge security hole if Postgres is configured with trust auth as it will allow access with no password or any password, essentially giving trust auth when only the md5 authtype has been configured for the host in the pgpool HBA file, see http://www.pgpool.net/mantisbt/view.php?id=123
TagsNo tags attached.

Activities

t-ishii

2016-05-12 13:42

developer   ~0000810

Assuming you set "enable_pool_hba = on", I think it's an effect of connection cache. Once pgpool establishes a connection cache to PostgreSQL with a user, it will be there. When the same user connects to pgpool, and if it finds a proper connection cache, it will be reused without doing an authentication against PostgreSQL. So pgpool accepts the connection as long as the given password matches pool_passwd. pgpool assumes that admin is responsible for matching pool_password with PostgreSQL password.

If you do not like the behavior, you can disable connection pooling of pgpool (or give it expiration).

zathey

2016-05-13 06:19

reporter   ~0000812

The problem is that if the password given does not match what's in pool_passwd, pgpool allows it to connect anyway. The password given by the client should always be checked against whatever is set in pool_passwd.

t-ishii

2016-05-14 17:46

developer   ~0000816

Does not reproduce here.

$ cat etc/pool_passwd
t-ishii:md5a16f9d87e344969ec59de417447348b3
foo:md5fdba98970961edb29f88241b9d99d890 <-- password is "foo"

$cat etc/pool_passwd
[snip]
# TYPE DATABASE USER CIDR-ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all foo md5
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all ::1/128 trust

$ cat data0/pg_hba.conf
[snip]
# TYPE DATABASE USER ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all foo md5
local all all trust

t-ishii@localhost: psql -p 11000 test
Pager usage is off.
psql (9.5.3)
Type "help" for help.

test=# show pool_version;
   pool_version
-------------------
 3.5.2 (ekieboshi)
(1 row)

test=# show pool_nodes;
 node_id | hostname | port | status | lb_weight | role | select_cnt
---------+----------+-------+--------+-----------+---------+------------
 0 | /tmp | 11002 | 2 | 0.500000 | primary | 0
 1 | /tmp | 11003 | 2 | 0.500000 | standby | 0
(2 rows)

t-ishii@localhost: psql -p 11000 -U foo test
Password for user foo: [type "foo"]
Pager usage is off.
psql (9.5.3)
Type "help" for help.

test=> \q
t-ishii@localhost: !!
psql -p 11000 -U foo test
Password for user foo: ["type "aaa"]
psql: ERROR: md5 authentication failed
DETAIL: password does not match

zathey

2016-05-18 06:14

reporter   ~0000824

Run this on your Postgres instance but don't change your pool_passwd file:

alter user foo with password 'aaa';

Now try to connect to pgpool using a password of "aaa", which does not match what's in pool_passwd.

t-ishii

2016-05-19 04:51

developer   ~0000825

As I already explained, that should be the effect of pgppool's connection cache. If it still happens even after pgpool-II restarting (in that case there's no pgpool connection cache effect), or disabling connection cache, let me know.

zathey

2016-05-19 07:36

reporter   ~0000829

Shouldn't the connection cache let you login with the pool_passwd password, "foo"? The problem is letting you login with the new password, "aaa", which is not in pool_passwd.

t-ishii

2016-05-23 22:51

developer   ~0000838

Not reproduced here. Please show me exact steps to reproduce it.

t-ishii

2016-07-12 14:07

developer   ~0000888

No feed back over last 1 month. This item closed now.

Issue History

Date Modified Username Field Change
2016-05-12 11:49 zathey New Issue
2016-05-12 13:42 t-ishii Note Added: 0000810
2016-05-12 13:45 t-ishii Assigned To => t-ishii
2016-05-12 13:45 t-ishii Status new => feedback
2016-05-13 06:19 zathey Note Added: 0000812
2016-05-13 06:19 zathey Status feedback => assigned
2016-05-14 17:46 t-ishii Note Added: 0000816
2016-05-16 13:51 t-ishii Status assigned => feedback
2016-05-18 06:14 zathey Note Added: 0000824
2016-05-18 06:14 zathey Status feedback => assigned
2016-05-19 04:51 t-ishii Note Added: 0000825
2016-05-19 04:52 t-ishii Status assigned => feedback
2016-05-19 07:36 zathey Note Added: 0000829
2016-05-19 07:36 zathey Status feedback => assigned
2016-05-23 22:51 t-ishii Note Added: 0000838
2016-05-23 22:51 t-ishii Status assigned => feedback
2016-07-12 14:07 t-ishii Note Added: 0000888
2016-07-12 14:07 t-ishii Status feedback => closed