[pgpool-committers: 5052] Re: pgpool: Feature: Add SCRAM and Certificate authentication support
Tatsuo Ishii
ishii at sraoss.co.jp
Fri Aug 17 09:38:08 JST 2018
Usama,
In this commit I see below in main/main.c:
//#ifdef USE_SSL
// /* global ssl init */
//#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER))
// OPENSSL_init_ssl(0, NULL);
//#else
// SSL_library_init();
//#endif
// SSL_load_error_strings();
//#endif /* USE_SSL */
Can we remove the code safely or are you still working on this part?
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
From: Muhammad Usama <m.usama at gmail.com>
Subject: [pgpool-committers: 5051] pgpool: Feature: Add SCRAM and Certificate authentication support
Date: Thu, 16 Aug 2018 16:45:03 +0000
Message-ID: <E1fqLOR-0002Yf-AY at gothos.postgresql.org>
> Feature: Add SCRAM and Certificate authentication support
>
> New feature to add scram and cert authentication method support in Pgpool-II.
> Apart from supporting the new authentication methods the commit also includes
> the following enhancements and changes in the authentication framework
> of Pgpool-II
>
> Different auth methods for frontend and backend for user session
> ================================================================
> Now it possible to use different authentication method for client
> application and backend PostgreSQL servers.
> For example, a client application can use scram-sha-256 to connect to Pgpool-II
> which in turn can use trust or md5 authentication to connect to
> PostgreSQL backend for the same session.
>
> Use MD5 and SCRAM without pool_passwd
> =====================================
> New configuration parameter allow_clear_text_frontend_auth, enables the Pgpool-II
> to use clear-text-password authentication with frontend clients when pool_passwd
> file does not contains the password for the connecting user.
> For example: suppose PostgreSQL servers has a user named "some_user" which can
> connect to database using SCRAM authentication, Now for this "some_user" to
> connect to PostgreSQL using SCRAM through Pgpool-II we must have the some_user's
> password stored in the pool_passwd file, but if in some case when pool_passwd does
> not have the entry of "some_user" and allow_clear_text_frontend_auth is enabled
> in the pgpool.conf then Pgpool-II will ask the connecting frontend to use
> clear-text-password auth method for authentication, and after receiving the
> password from the client, Pgpool-II will use that password to authenticate with
> backend using the required SCRAM auth.
>
> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is not enabled.
>
> Encrypted passwords in pool_passwd file
> =======================================
> Since the SCRAM authentication method explicitly guards against the
> man-in-middle type attacks, so to use such authentication methods Pgpool-II
> requires the PostgreSQL user password to authenticate with the backend.
> But as storing the clear text password in the "pool_passwd" file is never a good
> idea, so now you can store the AES256-CBC encrypted password in the "pool_passwd".
> To store the AES encrypted password in the "pool_passwd" the password is first
> encrypted using the AES256 encryption with the user provided key and then the
> encrypted password is base64 encoded and AES prefix is added to
> the encoded string.
>
> New pg_enc utility to create encrypted passwords
> ================================================
> A new utility pg_enc is added to create AES encrypted passwords. The utility
> works similar in most ways as pg_md5 utility, with a some small differences,
> pg_enc also requires the key for encrypting the password entries. later that
> same key is required by Pgpool-II to decrypt the passwords to be used for
> authentication.
>
> Note: Pgpool-II must be build with ssl (--with-openssl) support to use
> this encrypted password feature.
>
> Providing encryption key to Pgpool-II
> =====================================
> If you have AES encrypted passwords stored in the pool_passwd file, then
> Pgpool-II will require the decryption key to decrypt the passwords before
> using them, Pgpool-II tries to read the decryption key at startup from
> the pgpoolkey file.
> By default the Pgpool-II will look for the pgpoolkey file in user's home
> directory or the file referenced by environment variable PGPOOLKEYFILE.
> You can also specify the key file using the (-k, --key-file=KEY_FILE)
> command line argument to the Pgpool-II binary.
>
> Encrypted Passwords in pgpool.conf
> ==================================
> The commit also allows to specify the AES encrypted password in the pgpool.conf
> file for healh_check_user, sr_check_user, wd_lifecheck_user and recovery_user
> users, Additionally if the password field for any of these users is left blank
> in pgpool conf then Pgpool-II will first try to get the password for that user
> from pool_passwd file before using the empty password for the connection.
> So now pgpool.conf can be made password free and single pool_passwd file can be
> used to store all passwords for internal and external user connection
>
> Documentation updates and regression test cases for the
> feature are also part of the commit.
> Thanks to jesperpedersen <jesper.pedersen at redhat.com> for helping
> in documentation and testing for the feature
>
> Branch
> ------
> master
>
> Details
> -------
> https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=26446126f36dcd34ea9032ac934aafe63acc0eee
>
> Modified Files
> --------------
> Makefile.in | 43 +-
> aclocal.m4 | 203 +-
> configure | 261 +--
> configure.ac | 2 +-
> doc.ja/Makefile.in | 24 +-
> doc.ja/src/Makefile.in | 24 +-
> doc.ja/src/sgml/Makefile.in | 24 +-
> doc/Makefile.in | 24 +-
> doc/src/Makefile.in | 24 +-
> doc/src/sgml/Makefile.in | 24 +-
> doc/src/sgml/client-auth.sgml | 231 +-
> doc/src/sgml/connection-settings.sgml | 32 +
> doc/src/sgml/healthcheck.sgml | 23 +
> doc/src/sgml/online-recovery.sgml | 24 +
> doc/src/sgml/ref/allfiles.sgml | 1 +
> doc/src/sgml/ref/pg_enc.sgml | 165 ++
> doc/src/sgml/reference.sgml | 1 +
> doc/src/sgml/stream-check.sgml | 23 +
> doc/src/sgml/watchdog.sgml | 27 +-
> src/Makefile.am | 5 +
> src/Makefile.in | 45 +-
> src/auth/auth-scram.c | 1653 ++++++++++++++
> src/auth/pool_auth.c | 1674 +++++++++++---
> src/auth/pool_hba.c | 87 +-
> src/auth/pool_passwd.c | 377 +++-
> src/config/pool_config_variables.c | 9 +
> src/include/Makefile.in | 29 +-
> src/include/auth/md5.h | 1 -
> src/include/auth/pool_hba.h | 10 +-
> src/include/auth/pool_passwd.h | 43 +-
> src/include/auth/scram-common.h | 93 +
> src/include/auth/scram.h | 65 +
> src/include/config.h.in | 3 +
> src/include/pool.h | 21 +-
> src/include/pool_config.h | 8 +-
> src/include/pool_type.h | 13 +-
> src/include/utils/base64.h | 19 +
> src/include/utils/sha2.h | 116 +
> src/include/utils/ssl_utils.h | 34 +
> src/include/watchdog/wd_utils.h | 7 +-
> src/libs/Makefile.in | 24 +-
> src/libs/pcp/Makefile.in | 25 +-
> src/main/health_check.c | 8 +-
> src/main/main.c | 86 +-
> src/main/pgpool_main.c | 16 +-
> src/parser/Makefile.in | 25 +-
> src/pcp_con/recovery.c | 27 +-
> src/protocol/child.c | 227 +-
> src/sample/pgpool.conf.sample | 20 +-
> src/sample/pgpool.conf.sample-logical | 18 +-
> src/sample/pgpool.conf.sample-master-slave | 17 +
> src/sample/pgpool.conf.sample-replication | 17 +
> src/sample/pgpool.conf.sample-stream | 16 +
> src/sample/pool_hba.conf.sample | 4 +-
> src/streaming_replication/pool_worker_child.c | 10 +-
> src/test/pgpool_setup | 34 +-
> .../020.allow_clear_text_frontend_auth/test.sh | 104 +
> .../tests/021.pool_passwd_auth/pool_hba.conf | 71 +
> .../regression/tests/021.pool_passwd_auth/test.sh | 111 +
> .../022.pool_passwd_alternative_auth/pool_hba.conf | 71 +
> .../tests/022.pool_passwd_alternative_auth/test.sh | 112 +
> src/tools/Makefile.am | 2 +-
> src/tools/Makefile.in | 27 +-
> src/tools/pcp/Makefile.in | 24 +-
> src/tools/pgenc/Makefile.am | 54 +
> src/tools/pgenc/Makefile.in | 687 ++++++
> src/tools/pgenc/pg_enc.c | 449 ++++
> src/tools/pgmd5/Makefile.in | 24 +-
> src/tools/pgmd5/pool_config.c | 2318 +-------------------
> src/utils/base64.c | 196 ++
> src/utils/pool_process_reporting.c | 5 +
> src/utils/pool_ssl.c | 350 ++-
> src/utils/scram-common.c | 238 ++
> src/utils/sha2.c | 999 +++++++++
> src/utils/ssl_utils.c | 248 +++
> src/watchdog/Makefile.in | 24 +-
> src/watchdog/watchdog.c | 1 +
> src/watchdog/wd_json_data.c | 3 +
> src/watchdog/wd_lifecheck.c | 8 +-
> src/watchdog/wd_utils.c | 32 +-
> 80 files changed, 8747 insertions(+), 3477 deletions(-)
>
More information about the pgpool-committers
mailing list