[pgpool-general: 8688] Re: password file format
Ron
ronljohnsonjr at gmail.com
Thu Mar 30 00:18:10 JST 2023
On 3/29/23 09:52, Todd Stein wrote:
>
> Hi,
>
> Will someone please correct or confirm my assumption of the SCRAM-SHA-256
> password file format for $HOME/.pgpass and $HOME/.pcppass files?
>
> I’m not sure if I should be using the password with the AES prefix outside
> of the pool_password file or not. For example in the .pgpass and/or
> .pcppass files.
>
> $ pg_enc -k ~/.pgpoolkey -u postgres -p
>
> db password:
>
> trying to read key from file /var/lib/pgsql/.pgpoolkey
>
> *P1+l8j3GaTxzSBgcY1laEQ==*
>
> pool_passwd string: *AESP1+l8j3GaTxzSBgcY1laEQ==*
>
> **
>
> My understanding (please correct me if I’m wrong), is that the pcp.conf
> file must use md5 encryption regardless of what your password_encryption
> in the DB is.
>
pcp is for managing PgPool.
> The pool_password file (when using scram-sha-256 encryption) requires the
> string it gets automatically (which includes the AES prefix) by the pg_enc
> command when providing the “-m” attribute.
>
pool_passwd is for accessing Postgresql databases. Their "user lists" are
completely separate. You can, for example, have user "blarge" in pcp.conf
but not in pool_passwd (and by extension be a Postgresql role).
>
> However, I’ve not been able to find anything documented for the password
> files.
>
What do you mean? https://www.pgpool.net/docs/43/en/html/auth-methods.html
describes pool_passwd, and describes how to create MD5 and SHA256 hashes.
> I’m pretty sure I’ve seen that if I were to use an encrypted password
> (scram-sha-256) in the pgpool.conf file, it must include the AES prefix.
>
pg_enc does that for you.
> In my testing I find that if the password in ~/.pgpass includes the AES
> prefix in the encrypted password, I get password authentication failed for
> user “postgres” when the system tries to start a replication slot.
>
That needs more detail.
--
Born in Arizona, moved to Babylonia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20230329/6041b16c/attachment.htm>
More information about the pgpool-general
mailing list