Re: [HACKERS] SCRAM auth and Pgpool-II

Поиск
Список
Период
Сортировка
От David Fetter
Тема Re: [HACKERS] SCRAM auth and Pgpool-II
Дата
Msg-id 20170707171833.GB26380@fetter.org
обсуждение исходный текст
Ответ на [HACKERS] SCRAM auth and Pgpool-II  (Tatsuo Ishii <ishii@sraoss.co.jp>)
Список pgsql-hackers
Дерево обсуждения 
On Thu, Jul 06, 2017 at 10:03:37AM +0900, Tatsuo Ishii wrote:
> Hi PostgreSQL hackers,
> 
> I would like to hear ideas how Pgpool-II can deal with SCRAM auth
> which will be in PostgreSQL 10.
> 
> For those who are not familiar with Pgpool-II[1], it is an external
> OSS project to provide some additional features to PostgreSQL,
> including load balancing and automatic failover. Pgpool-II works as a
> proxy between PostgreSQL client and PostgreSQL server(s).
> 
> When a client wants to connects to PostgreSQL and SCRAM auth is
> enabled, it sends user name to server. Then the server sends
> information including a salt to the client. The client computes a
> "ClientProof" using the salt and other information, and sends it to
> the server[2].
> 
> For Pgpool-II, things would go as follows:
> 
> 1) clients sends user name to Pgpool-II.
> 2) Pgpool-II forwards it to PostgreSQL servers.
> 3) Each PostgreSQL server sends their own salt to Pgpool-II.
> 4) Pgpool-II is confused because there are multiple salts and each has
>    different values. The client only accepts single salt obviously.
> 
> So my question is, is there any solution or workaround for the problem
> #4. Someone at PGCon 2017 suggested that the problem could be avoided
> if the auth method between the client and Pgpool-II is "trust" (which
> means no auth). But this does not seem to be a best solution for me
> because it would weaken the security.

In the end, what poolers do is doing is indistinguishable, in security
terms, from a man-in-the-middle attack.  To the client, the thing with
which they're negotiating auth and doing queries is Pgpool-II, in a
manner similar to writing to a RAID volume rather than any individual
disk in it.

Are people actually running Pgpool on an untrusted network to the
PostgreSQL nodes?

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david(dot)fetter(at)gmail(dot)com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Robert Haas
Дата:
Сообщение: Re: [HACKERS] SCRAM auth and Pgpool-II
Следующее
От: "Wong, Yi Wen"
Дата:
Сообщение: [HACKERS] replication_slot_catalog_xmin not explicitly initialized whencreating procArray