| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: SCRAM auth and Pgpool-II |
| Date: | 2017-07-06 01:32:39 |
| Message-ID: | CAB7nPqSaKjOF=o3K+zhApvBqhYksz-do=pHOa-Vc8rrmjTCOTw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jul 6, 2017 at 10:03 AM, Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> wrote:
> For Pgpool-II, things would go as follows:
>
> 1) clients sends user name to Pgpool-II.
> 2) Pgpool-II forwards it to PostgreSQL servers.
> 3) Each PostgreSQL server sends their own salt to Pgpool-II.
> 4) Pgpool-II is confused because there are multiple salts and each has
> different values. The client only accepts single salt obviously.
Couldn't you cache one single SASL exchange status for each
connection, meaning one PGconn saved for each? As the challenge sent
by the server and the response generated by the client are different
by design, I am afraid you would need to do that anyway in this
context (Isn't PG-pool using already the weaknesses of MD5 to make
things easier?). As the server decides first which authentication type
should happen before beginning the real message exchange, that should
not be difficult. It seems to me that you would need something more
modular than you have now if you want for example to handle
automatically connections to multiple servers that have different
password hashes stored for the same user. The latter may be an edge
case with pgpool though.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 2017-07-06 01:40:38 | Re: SCRAM auth and Pgpool-II |
| Previous Message | Alvaro Herrera | 2017-07-06 01:16:42 | Re: Suspicious place in heap_prepare_freeze_tuple() |