Re: No psql md5 auth, psql 14.1 to PG 11

Yup, FIPS-mode is on for both ends. I'd love a pointer to docs or other
resources for figuring out what the path forward looks like.

Thanks for the fast and insightful diagnostic tip..

-Pete O'Such

On Mon, Apr 18, 2022 at 5:08 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> writes:
> > On 4/18/22 13:12, Pete O'Such wrote:
> >> I'm unable to authenticate with psql to a PG 11 database on server A
> >> from server B which has PG 14.1 installed. So it's psql 14.1 not
> >> authenticating to PG 11. Other clients can and do authenticate to the
> >> PG 11 database, it only seems to fail with the psql 14.1 client.
> >>
> >> The PG 11 server uses md5. So is the PG 14.1, but I didn't expect that
> >> to matter for a straight psql connection plus interactive password
> entry.
>
> > My first thought was that is was a md5/scram-sha-256 issue but I'm not
> > sure how as both versions support both password types.
>
> I just checked the case here, and I can connect fine from psql 14 to
> a v11 server with a password stored in md5. So I'm not sure what's
> up either, but there has to be something off-the-beaten-path about
> this.
>
> Looking at the v14 code, the error message tells us that
> pg_password_sendauth failed, which has several possible explanations:
>
> * pqGetnchar failed, which'd imply a malformed server challenge message.
> Seems unlikely, if other clients can connect.
>
> * pg_md5_encrypt failed. Hard to believe ... unless the v14 psql
> is running on a FIPS-mode machine, which'd refuse all MD5 operations?
>
> * pqPacketSend failed, ie server disconnected after sending the
> challenge. Also seems doubtful.
>
> So my recommendation is to check for FIPS mode.
> If it's a recent Linux, what does "sysctl crypto.fips_enabled" say?
> (This theory also requires that v14 was built with openssl support.)
>
> FWIW, v15 will provide a more on-point error message in such cases.
>
> regards, tom lane
>