On Thu, Jul 6, 2017 at 10:03 AM, Tatsuo Ishii <is...@sraoss.co.jp> wrote: > For Pgpool-II, things would go as follows: > > 1) clients sends user name to Pgpool-II. > 2) Pgpool-II forwards it to PostgreSQL servers. > 3) Each PostgreSQL server sends their own salt to Pgpool-II. > 4) Pgpool-II is confused because there are multiple salts and each has > different values. The client only accepts single salt obviously.
Couldn't you cache one single SASL exchange status for each connection, meaning one PGconn saved for each? As the challenge sent by the server and the response generated by the client are different by design, I am afraid you would need to do that anyway in this context (Isn't PG-pool using already the weaknesses of MD5 to make things easier?). As the server decides first which authentication type should happen before beginning the real message exchange, that should not be difficult. It seems to me that you would need something more modular than you have now if you want for example to handle automatically connections to multiple servers that have different password hashes stored for the same user. The latter may be an edge case with pgpool though. -- Michael -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers