Re: SCRAM auth and Pgpool-II

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp>
Cc: michael(dot)paquier(at)gmail(dot)com, robertmhaas(at)gmail(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SCRAM auth and Pgpool-II
Date: 2017-07-13 22:33:25
Message-ID: 20170713223325.GH1769@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings Tatsuo,

* Tatsuo Ishii (ishii(at)sraoss(dot)co(dot)jp) wrote:
> > What I am suggesting here is that in order to handle properly SCRAM
> > with channel binding, pgpool has to provide a different handling for
> > client <-> pgpool and pgpool <-> Postgres. In short, I don't have a
> > better answer than having pgpool impersonate the server and request
> > for a password in cleartext through an encrypted connection between
> > pgpool and the client if pgpool does not know about it, and then let
> > pgpool do by itself the SCRAM authentication on a per-connection basis
> > with each Postgres instances. When using channel binding, what would
> > matter is the TLS finish (for tls-unique) or the hash server
> > certificate between Postgres and pgpool, not between the client and
> > pgpool. But that's actually the point you are raising here:
>
> Using a clear text password would not be acceptable for users even
> through an encrypted connection, I think.

Really, I don't think users who are concerned with security should be
using the md5 method either.

What would be really nice for such cases is support for Kerberos and
delegated Kerberos credentials. Having pgpool support that would remove
the need to deal with passwords at all.

Ditto for having postgres_fdw support same. More often than not,
Kerberos deployments (via AD, generally) is what I find in the
enterprises that I work with and they're happy to see we have Kerberos
but it's disappointing when they can't use Kerberos with either
connection poolers or with FDWs.

Thanks!

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2017-07-13 22:34:19 Re: pg_stop_backup(wait_for_archive := true) on standby server
Previous Message Tom Lane 2017-07-13 21:34:21 Inadequate infrastructure for NextValueExpr