On Thu, Jul 06, 2017 at 10:03:37AM +0900, Tatsuo Ishii wrote: > Hi PostgreSQL hackers, > > I would like to hear ideas how Pgpool-II can deal with SCRAM auth > which will be in PostgreSQL 10. > > For those who are not familiar with Pgpool-II[1], it is an external > OSS project to provide some additional features to PostgreSQL, > including load balancing and automatic failover. Pgpool-II works as a > proxy between PostgreSQL client and PostgreSQL server(s). > > When a client wants to connects to PostgreSQL and SCRAM auth is > enabled, it sends user name to server. Then the server sends > information including a salt to the client. The client computes a > "ClientProof" using the salt and other information, and sends it to > the server[2]. > > For Pgpool-II, things would go as follows: > > 1) clients sends user name to Pgpool-II. > 2) Pgpool-II forwards it to PostgreSQL servers. > 3) Each PostgreSQL server sends their own salt to Pgpool-II. > 4) Pgpool-II is confused because there are multiple salts and each has > different values. The client only accepts single salt obviously. > > So my question is, is there any solution or workaround for the problem > #4. Someone at PGCon 2017 suggested that the problem could be avoided > if the auth method between the client and Pgpool-II is "trust" (which > means no auth). But this does not seem to be a best solution for me > because it would weaken the security.
In the end, what poolers do is doing is indistinguishable, in security terms, from a man-in-the-middle attack. To the client, the thing with which they're negotiating auth and doing queries is Pgpool-II, in a manner similar to writing to a RAID volume rather than any individual disk in it. Are people actually running Pgpool on an untrusted network to the PostgreSQL nodes? Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers