[pgpool-general: 7928] Re: Problem using password authentication
Jon SCHEWE
jon.schewe at raytheon.com
Sat Dec 11 01:16:14 JST 2021
Replying to both messages here.
Changing pool_hba.conf from "password" to "trust" doesn't change the remote connections. To be clear, connections from the same subnet as the pgpool host work just fine. Connections from a subnet other than the pgpool subnet fail immediately.
> > I'm using password authentication over SSL. This works fine with connections from the same network, but doesn't work with connections from another network. Can anyone explain why this isn't working?
> >
> > in pgpool.conf:
> > enable_pool_hba = on
> > pool_passwd = ''
> >
> >
> > in pool_hba.conf:
> > # "local" is for Unix domain socket connections only
> > local all all trust
> > # IPv4 local connections:
> > host all all 127.0.0.1/32 trust
> > host all all ::1/128 trust
> >
> > hostssl all all 0.0.0.0/0 password
> >
> > log output:
> > Dec 7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: WARNING: unable to get password, password file descriptor is NULL
> > Dec 7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: FATAL: client authentication failed
> > Dec 7 16:20:59 psql-01 pgpool[1085857]: 2021-12-07 16:20:59: pid 1102488: DETAIL: no pool_hba.conf entry for host "XXX.XXX.XXX.XXX", user "", database "", SSL off
>
> Works for me. I am using Pgpool-II on the master branch HEAD (almost
> same as 4.3.0 at this point). Which version of Pgpool-II are you
> using?
>
> psql -p 11000 -U foo -h localhost test
> Password for user foo:
> psql (14.1)
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
> Type "help" for help.
>
> test=> \q
This works fine for me as it's a localhost connection. It's when I'm connecting from a subnet other than the one the pgpool master is on.
> From pgpool.conf:
>
> pool_passwd = ''
> enable_pool_hba = on
> ssl = on
> ssl_key = 'server.key'
> ssl_cert = 'server.crt'
> ssl_prefer_server_ciphers = on
> ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'
>
> From pool_hba.conf:
> hostssl all foo 0.0.0.0/0 password
>
> From pg_hba.conf:
> hostssl all foo 0/0 scram-sha-256
I have "password" is the mechanism in both pool_hba.conf and pg_hba.conf.
I do have pg_hba.conf limited to allow connections only from the pgpool hosts.
> Cann you provide pgpool.log with log_min_messages = debug5 ?
That is attached. Note that XXX.XXX.XXX.* and YYY.YYY.YYY.* are different subnets.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.log
Type: text/x-log
Size: 234315 bytes
Desc: debug.log
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20211210/9e36caf6/attachment.bin>
More information about the pgpool-general
mailing list