New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unknown authenticationOk message type #1508

Open
Desp163 opened this Issue Nov 17, 2017 · 12 comments

Comments

@Desp163
Copy link

Desp163 commented Nov 17, 2017

With postgres 10.1 and SCRAM-SHA-256 password encryption enabled, node-postgres driver throws the following error:

Error: Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }

Not telling that encryption method is not supported or anything. It took a while to find out why my app is stopped working after i have changed the role name. I think there should be more verbose error for this case.

@Kidounet

This comment has been minimized.

Copy link

Kidounet commented Nov 27, 2017

Hello,
I have the same problem.
after migrate postgres 9 to 10, the database switch to SCRAM-SHA-256 password encryption.
but this pg_client is not compatible

first, change the postgresql.conf file :
password_encryption = md5

and restart database.
but not works ...

lookup users password encryption whith superuser (postgres) :
SELECT rolname, rolpassword FROM "pg_authid";

if password start with "SCRAM-SHA-256" (and not "md5"), it's too late, but not the end of world.

--> change all user with SCRAM-SHA-256 password for reset them :
(always whith postgres superuser) :
alter role xxxxx with password 'yyyyy'; (with xxxxx is the username, and yyyyy the new password)

--> the password is now encrypted with md5 crypto :
SELECT rolname, rolpassword FROM "pg_authid";
--> the password start with "md5"

and now, i can use this pg_client without this error

explanation : the size "23" is because he know password is encrypted with SCRAM-SHA-256, and change the auth message for ask SCRAM password, and it's not implemented yet ...

have fun !

@jafri

This comment has been minimized.

Copy link

jafri commented Dec 17, 2017

With postgresql starting to move towards SASL authentication with the introduction of SCRAM-SHA-256, and the known vulnerabilities in MD5, I think it is important for all major postgresql libraries to be supporting this encryption.

It is already supported in the latest libpq versions, which I know @brianc has create some native node bindings for.

@vlad-bezden

This comment has been minimized.

Copy link

vlad-bezden commented Mar 16, 2018

Are there any plans to support following authentications?

  • SSPI
  • SCRAM-SHA-256

Thanks

@riteshsingh2k

This comment has been minimized.

Copy link

riteshsingh2k commented Apr 19, 2018

I am using postgres 10 with SCRAM-SHA-256 password encryption and getting following error
Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }

@hauseralex

This comment has been minimized.

Copy link

hauseralex commented Jun 7, 2018

Hi,

I am also facing this problem and tried to fix it according to @Kidounet 's suggestion, but in my case this change doesn't seem to have the needed effect.
Additionally to the mentioned above I also edited the pg_hba.conf file. There I replaced every "scram-sha-256" with "md5".
When restarting and trying the ALTER ROLE command, the password is still encrypted with scram-sha-256.

I am on a kubernetes environment (server version 1.8). My postgresql config files are on a persistent volume, so when I restart the database pod the changed config files are still there and should be applied.

Any hints on what I am missing?

Thanks a lot!

EDIT: Okay, just found out that in my setup there was another config file that needed to be changed ... Now it is working fine!

@smcmurray

This comment has been minimized.

Copy link

smcmurray commented Jul 30, 2018

@brianc, Can you post some response here to set some expectation on your intentions regarding SCRAM-SHA-256?

@smcmurray

This comment has been minimized.

Copy link

smcmurray commented Aug 9, 2018

@mohanpindyala

This comment has been minimized.

Copy link

mohanpindyala commented Sep 24, 2018

@hauseralex can you help us enable SCRAM-SHA-256 for RDS PG? Looks like we don't have access to change pg_hba.conf file in aws, Is there a workaround for it?

@hauseralex

This comment has been minimized.

Copy link

hauseralex commented Sep 27, 2018

Hi @mohanpindyala if you need scram-sha-256 you can use postgres in version 10. Or if you have write access to postgresql.conf file try Kidounet's attempt. I also found out that pg_hba.conf file doesn't need to be touched as it gets generated from the specifications in postgresql.conf on database start/restart (correct me, if I'm wrong)

@brianc

This comment has been minimized.

Copy link
Owner

brianc commented Oct 9, 2018

I'm open to pull requests for adding this authentication. I'll likely get around to it eventually, when I need it in my own work, but if you need it sooner please submit a PR!

@mYnDstrEAm

This comment has been minimized.

Copy link

mYnDstrEAm commented Nov 22, 2018

This means there's no way for secure password encryption when using Node.js with Postgres to date?

Kidounet's solution to just use MD5 didn't work for me: I kept getting

{
  "name": "error",
  "length": 99,
  "severity": "ERROR",
  "code": "42501",
  "file": "aclchk.c",
  "line": "3410",
  "routine": "aclcheck_error"
}

as response after changing the 2 config files, altering all passwords and server-restarts/reloads (all passwords started with "md5"). Earlier I tried if it would work if I just have one user with limited privileges with MD5 and the other ones with SCRAM-SHA-256. Didn't work. Maybe there was a problem with pgAdmin4 running? It works now after purging and reinstalling the packages and leaving MD5 as it was.
It only works when that user can login and has superuser rights.

@nanaya

This comment has been minimized.

Copy link

nanaya commented Dec 8, 2018

I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment