Thread: BUG #17740: Connecting postgresql 13 with different psql versions
The following bug has been logged on the website: Bug reference: 17740 Logged by: Anbu Email address: gopi.anbumech@gmail.com PostgreSQL version: 13.8 Operating system: linux Description: For GSSAPI Kerberos external authenticated connections, it appears that psql v13 is not honouring order of the rules specified in pg_hba.conf. Will there be any difference in way/options with which psql binary has been built ? With following entries in pg_hba.conf, psql v13 is prompting for password for Kerberos connections, whereas psql v11 succeeds connecting without any issue. local all pgbkp peer map=pgbackrest hostssl all +citi_pg_app_read 0.0.0.0/0 gss map=krb host all all 0.0.0.0/0 scram-sha-256 [kdc_test_fid@icl-actpsql-vm1 /psql13]$ psql -U app_kdc_test_fid -h x.x.x -d postgres -p 1524 Password for user app_kdc_test_fid: [kdc_test_fid@icl-actpsql-vm1 /psql11]$ psql -U app_kdc_test_fid -h x.x.x -d postgres -p 1524 psql (11.13, server 13.8) WARNING: psql major version 11, server major version 13. Some psql features might not work. SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. postgres=> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ But as soon as the this line is commented out in pg_hba.conf, GSSAPI Kerberos external authenticated connection succeeds for both psql V13 and v11. #host all all 0.0.0.0/0 scram-sha-256 [kdc_test_fid@icl-actpsql-vm1 /psql13]$ psql -U app_kdc_test_fid -h x.x.x -d postgres -p 1524 psql (13.8) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. postgres=> [kdc_test_fid@icl-actpsql-vm1 /psql11]$ psql -U app_kdc_test_fid -h x.x.x -d postgres -p 1524 psql (11.13, server 13.8) WARNING: psql major version 11, server major version 13. Some psql features might not work. SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. postgres=> Note: app_kdc_test_fid user is part of defined group in hba rules.
PG Bug reporting form <noreply@postgresql.org> writes:
> With following entries in pg_hba.conf, psql v13 is prompting for password
> for Kerberos connections, whereas psql v11 succeeds connecting without any
> issue.
> local all pgbkp peer map=pgbackrest
> hostssl all +citi_pg_app_read 0.0.0.0/0 gss map=krb
> host all all 0.0.0.0/0 scram-sha-256
> [kdc_test_fid@icl-actpsql-vm1 /psql13]$ psql -U app_kdc_test_fid -h x.x.x -d
> postgres -p 1524
> Password for user app_kdc_test_fid:
I suspect the v13 libpq is trying GSSAPI encryption before SSL encryption,
so it falls through the hostssl line and ends up at the catchall.
regards, tom lane
Dear Tom lane,
Is the way in which psql v11 behaved is the expected behaviour?
Any workaround is there for this to make it work as it was when pg 13 was connected with psql v11?
Can i make the ssl to be on and modify the host to hostssl in scram line of pg_hba?
On Mon, 9 Jan, 2023, 8:49 pm Tom Lane, <tgl@sss.pgh.pa.us> wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
> With following entries in pg_hba.conf, psql v13 is prompting for password
> for Kerberos connections, whereas psql v11 succeeds connecting without any
> issue.
> local all pgbkp peer map=pgbackrest
> hostssl all +citi_pg_app_read 0.0.0.0/0 gss map=krb
> host all all 0.0.0.0/0 scram-sha-256
> [kdc_test_fid@icl-actpsql-vm1 /psql13]$ psql -U app_kdc_test_fid -h x.x.x -d
> postgres -p 1524
> Password for user app_kdc_test_fid:
I suspect the v13 libpq is trying GSSAPI encryption before SSL encryption,
so it falls through the hostssl line and ends up at the catchall.
regards, tom lane
Anbazhagan M <gopi.anbumech@gmail.com> writes:
> Any workaround is there for this to make it work as it was when pg 13 was
> connected with psql v11?
You could add a hostgssenc line specifying what you want the server
to do with that --- maybe just "hostgssenc ... reject" if you don't
want to think hard about it.
regards, tom lane
Thanks a lot Tom Lane.
Can you please help with documentation on how to use hostgssenc....reject?
On Mon, 9 Jan, 2023, 10:20 pm Tom Lane, <tgl@sss.pgh.pa.us> wrote:
Anbazhagan M <gopi.anbumech@gmail.com> writes:
> Any workaround is there for this to make it work as it was when pg 13 was
> connected with psql v11?
You could add a hostgssenc line specifying what you want the server
to do with that --- maybe just "hostgssenc ... reject" if you don't
want to think hard about it.
regards, tom lane
Dear Tom Lane/ Team,
If psql v11 is behaving in a right way, what difference made psql v13 to behave in a different way ? Was there any changes done between versions of psql v11 and v13 ?
Is it possible not to skip the gss auth line as it was in psql v11 ?
Sample pg_hba as in my original post is as below,
local all pgbkp peer map=pgbackrest
hostssl all +pg_app_read 0.0.0.0/0 gss map=krb
host all all 0.0.0.0/0 scram-sha-256
hostssl all +pg_app_read 0.0.0.0/0 gss map=krb
host all all 0.0.0.0/0 scram-sha-256
On Mon, 9 Jan 2023 at 23:00, Anbazhagan M <gopi.anbumech@gmail.com> wrote:
Thanks a lot Tom Lane.Can you please help with documentation on how to use hostgssenc....reject?On Mon, 9 Jan, 2023, 10:20 pm Tom Lane, <tgl@sss.pgh.pa.us> wrote:Anbazhagan M <gopi.anbumech@gmail.com> writes:
> Any workaround is there for this to make it work as it was when pg 13 was
> connected with psql v11?
You could add a hostgssenc line specifying what you want the server
to do with that --- maybe just "hostgssenc ... reject" if you don't
want to think hard about it.
regards, tom lane
Regards,
Anbu
Anbazhagan M <gopi.anbumech@gmail.com> writes:
> If psql v11 is behaving in a right way, what difference made psql v13 to
> behave in a different way ? Was there any changes done between versions of
> psql v11 and v13 ?
I told you already: I think the relevant difference is the addition of GSS
(i.e. Kerberos or equivalent) support starting in v12. Both versions are
behaving correctly according to their own feature sets. What is missing
is that you need to update your pg_hba.conf to account for the possibility
of GSS-encrypted connections.
regards, tom lane
Thanks for the clarification Tom Lane.
Can you guide me to the right documentation or steps on how to add/update rules in pg_hba.conf for the possibility of gss-encrypted connections ? Because, whenever I establish successful connection with gssapi, I am getting below entry in log which shows authenticated=yes, encrypted=no,,
2023-01-10 02:23:46.835 EST [3813278] LOG: 00000: connection authorized: user=app_kdc_test_fid database=postgres application_name=psql SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=off) GSS (authenticated=yes, encrypted=no, principal=kdc_test_fid/x.x.x@WLAB.NET)
On Tue, 10 Jan 2023 at 20:39, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Anbazhagan M <gopi.anbumech@gmail.com> writes:
> If psql v11 is behaving in a right way, what difference made psql v13 to
> behave in a different way ? Was there any changes done between versions of
> psql v11 and v13 ?
I told you already: I think the relevant difference is the addition of GSS
(i.e. Kerberos or equivalent) support starting in v12. Both versions are
behaving correctly according to their own feature sets. What is missing
is that you need to update your pg_hba.conf to account for the possibility
of GSS-encrypted connections.
regards, tom lane
Regards,
Anbu
Dear Team,
Just to explain my usecase, I just want every connection to try to GSSAPI authentication first (which is first rule in my pg_hba.conf), and if on failure it should attempt password authentication next (which is subsequent rule in pg_hba.conf)
On Tue, 10 Jan 2023 at 20:53, Anbazhagan M <gopi.anbumech@gmail.com> wrote:
Thanks for the clarification Tom Lane.Can you guide me to the right documentation or steps on how to add/update rules in pg_hba.conf for the possibility of gss-encrypted connections ? Because, whenever I establish successful connection with gssapi, I am getting below entry in log which shows authenticated=yes, encrypted=no,,2023-01-10 02:23:46.835 EST [3813278] LOG: 00000: connection authorized: user=app_kdc_test_fid database=postgres application_name=psql SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=off) GSS (authenticated=yes, encrypted=no, principal=kdc_test_fid/x.x.x@WLAB.NET)On Tue, 10 Jan 2023 at 20:39, Tom Lane <tgl@sss.pgh.pa.us> wrote:Anbazhagan M <gopi.anbumech@gmail.com> writes:
> If psql v11 is behaving in a right way, what difference made psql v13 to
> behave in a different way ? Was there any changes done between versions of
> psql v11 and v13 ?
I told you already: I think the relevant difference is the addition of GSS
(i.e. Kerberos or equivalent) support starting in v12. Both versions are
behaving correctly according to their own feature sets. What is missing
is that you need to update your pg_hba.conf to account for the possibility
of GSS-encrypted connections.
regards, tom lane--Regards,Anbu
Regards,
Anbu