On Sun, Jul 27, 2025 at 1:59 PM Marc Haber <[email protected]> wrote:
> Hi, > > On Sun, Jul 27, 2025 at 12:11:36PM +0200, Marc Haber wrote: > >How would I verify whether my-postgres-password actually works? The > >postgres container doesn't seem to expose a port to the host, and the > >guacamole container doesnt have a command line client installed. When > >I try psql -h 127.0.0.1 from the postgres container, authentication > >succeeds without asking for a password. > > > >What is going worng here? Is it possible that my update brought me to > >a guacamole version that cannot talk any more to the ancient postgres > >13.4 I am running? > > > I suspect that the issue is with differences in default password hashing algorithms between the version you're running and the newer JDBC driver that is likely included in the new image. I'm having trouble finding the exact documentation to corroborate this, and my impression was that this was supposed to be automatically negotiated based on how the user's password is actually set, but this is my suspicion. Older versions of Postgres (prior to 15, IIRC), default to "md5" for the password hashing algorithm, while 15.x and newer have changed to scram-sha-256 as the default. My guess is that the JDBC driver moved to scram-sha-256 along with the rest of the Postgres stack, and that's causing the authentication failure you're seeing. Postgresql 13.4 does have support for the scram-sha-256 hash, so you can try resetting the password for the Guacamole user to the new hash algorithm. From the PostgreSQL password authentication page ( https://www.postgresql.org/docs/13/auth-password.html): > To upgrade an existing installation from md5 to scram-sha-256, after having ensured that all client libraries in use are new enough to support SCRAM, set password_encryption = 'scram-sha-256' in postgresql.conf, make all users set new passwords, and change the authentication method specifications in pg_hba.conf to scram-sha-256. and: > To ease transition from the md5 method to the newer SCRAM method, if md5 is specified as a method in pg_hba.conf but the user's password on the server is encrypted for SCRAM (see below), then SCRAM-based authentication will automatically be chosen instead. Instead of changing in the postgresql.conf file, you should be able to just launch the psql command and run: set password_encryption = 'scram-sha-256' and then change the password of the Guacamole user. > >Would it help to update postgresql? > > It did help to go back to the previous image of guacamole. So, I'd say > that the current docker image seems to be broken. > > There's certainly an issue, here, for users pulling in older databases with the newer Guacamole image; however, it isn't an issue with Guacamole itself, and I'm not really sure there's any way to properly "fix" it - I'm not able to find any option to force the MD5 password hash, and I don't think downgrading the JDBC driver is a great way to go. The main mitigation at this point seems to be just to document it in the installation or upgrade notes. Or my guess could be wrong and it could be something else entirely! -Nick
