Skip to content

Instantly share code, notes, and snippets.

@v0112358

v0112358/What should to know before usign pgpool.md

Created August 4, 2020 04:41
Show Gist options
  • Save v0112358/904f050b0dab760543283c09c7e6218b to your computer and use it in GitHub Desktop.
Save v0112358/904f050b0dab760543283c09c7e6218b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
What should to know before usign pgpool.md

How does pgpool-II handle md5 authentication?

1. PostgreSQL and pgpool stores md5(password+username) into pg_authid or pool_password. From now on I denote string md5(password+username) as "S".
2. When md5 auth is requested, pgpool sends a random number salt "s0" to frontend.
3. Frontend replies back to pgpool with md5(S+s0).
4. pgpool extracts S from pgpool_passwd and calculate md5(S+s0). If #3 and #4 matches, goes to next step.
5. Each backend sends salt to pgpool. Suppose we have two backends b1 and b2, and salts are s1 and s2.
6. pgpool extracts S from pgpool_passwd and calculate md5(S+s1) and send it to b1. pgpool extracts S from pgpool_passwd and calculate md5(S+s2) and send it to b2.
7. If b1 and b2 agree with the authentication, the whole md5 auth process succeeds.

Why we can't disable md5 authentication when we have more than one backend? http://www.sraoss.jp/pipermail/pgpool-general/2016-March/004593.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment