[pgpool-hackers: 3650] Re: allow_clear_text_frontend_auth and pool_hba.conf
Tatsuo Ishii
ishii at sraoss.co.jp
Mon Jun 15 13:19:44 JST 2020
> Hi Ishii-San,
>
> On Fri, May 22, 2020 at 7:24 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>
>> While taking care of this:
>> [pgpool-general: 7015] SSL authentication in Pgpool
>>
>> I noticed that if clear text password is flying between client and
>> Pgpool-II, it will be more secure to accept only frontend using SSL
>> connection. To force SSL connections, pool_hba.conf can be used
>> (hostssl). However currently allow_clear_text_frontend_auth and
>> pool_hba.conf are not compatible. Looking into the code, I think just
>> removing "frontend->pool_hba == NULL" from following lines (there are
>> 2 places same if-statement appear. One is MD5 and the aother is SCRAM)
>> makes it possible for allow_clear_text_frontend_auth and pool_hba.conf
>> be compatible.
>>
>> if (frontend->pool_hba == NULL &&
>> pool_config->allow_clear_text_frontend_auth)
>>
>> The only concern is, if allow_clear_text_frontend_auth is enabled,
>> auth methods including MD5, SCRAM specified in pool_hba.conf will be
>> ignored. Can we accept this?
>>
>
> It is a tough choice as this will result, allow_clear_text_frontend_auth to
> effectively
> disable the pool_hba settings.
>
> How about if we add a new auth-options to the HBA line for that purpose?
> For example:
> host postgres all 192.168.12.10/32 md5
> allow_clear_text_auth=[on/off]
I am not sure what you mean. For example,
host postgres all 192.168.12.10/32 md5 allow_clear_text_auth=on
Will frontend be required to send a password in clear text or md5
hashed? There's no way to do both.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-hackers
mailing list