Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unknown authenticationOk message type #1508

Closed
Desp163 opened this issue Nov 17, 2017 · 19 comments
Closed

Unknown authenticationOk message type #1508

Desp163 opened this issue Nov 17, 2017 · 19 comments

Comments

@Desp163
Copy link

Desp163 commented Nov 17, 2017

With postgres 10.1 and SCRAM-SHA-256 password encryption enabled, node-postgres driver throws the following error:

Error: Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }

Not telling that encryption method is not supported or anything. It took a while to find out why my app is stopped working after i have changed the role name. I think there should be more verbose error for this case.
@Kidounet
Copy link

Kidounet commented Nov 27, 2017
edited

Hello,
I have the same problem.
after migrate postgres 9 to 10, the database switch to SCRAM-SHA-256 password encryption.
but this pg_client is not compatible

first, change the postgresql.conf file :
password_encryption = md5

and restart database.
but not works ...

lookup users password encryption whith superuser (postgres) :
SELECT rolname, rolpassword FROM "pg_authid";

if password start with "SCRAM-SHA-256" (and not "md5"), it's too late, but not the end of world.

--> change all user with SCRAM-SHA-256 password for reset them :
(always whith postgres superuser) :
alter role xxxxx with password 'yyyyy'; (with xxxxx is the username, and yyyyy the new password)

--> the password is now encrypted with md5 crypto :
SELECT rolname, rolpassword FROM "pg_authid";
--> the password start with "md5"

and now, i can use this pg_client without this error

explanation : the size "23" is because he know password is encrypted with SCRAM-SHA-256, and change the auth message for ask SCRAM password, and it's not implemented yet ...

have fun !

@jafri
Copy link

jafri commented Dec 17, 2017
edited

With postgresql starting to move towards SASL authentication with the introduction of SCRAM-SHA-256, and the known vulnerabilities in MD5, I think it is important for all major postgresql libraries to be supporting this encryption.

It is already supported in the latest libpq versions, which I know @brianc has create some native node bindings for.

@vlad-bezden
Copy link

Are there any plans to support following authentications?

  • SSPI
  • SCRAM-SHA-256

Thanks

@riteshsingh2k
Copy link

riteshsingh2k commented Apr 19, 2018
edited

I am using postgres 10 with SCRAM-SHA-256 password encryption and getting following error
Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }

@hauseralex
Copy link

hauseralex commented Jun 7, 2018
edited

Hi,

I am also facing this problem and tried to fix it according to @Kidounet 's suggestion, but in my case this change doesn't seem to have the needed effect.
Additionally to the mentioned above I also edited the pg_hba.conf file. There I replaced every "scram-sha-256" with "md5".
When restarting and trying the ALTER ROLE command, the password is still encrypted with scram-sha-256.

I am on a kubernetes environment (server version 1.8). My postgresql config files are on a persistent volume, so when I restart the database pod the changed config files are still there and should be applied.

Any hints on what I am missing?

Thanks a lot!

EDIT: Okay, just found out that in my setup there was another config file that needed to be changed ... Now it is working fine!

@smcmurray
Copy link

@brianc, Can you post some response here to set some expectation on your intentions regarding SCRAM-SHA-256?

@smcmurray
Copy link

@charmander?

@mohanpindyala
Copy link

@hauseralex can you help us enable SCRAM-SHA-256 for RDS PG? Looks like we don't have access to change pg_hba.conf file in aws, Is there a workaround for it?

@hauseralex
Copy link

Hi @mohanpindyala if you need scram-sha-256 you can use postgres in version 10. Or if you have write access to postgresql.conf file try Kidounet's attempt. I also found out that pg_hba.conf file doesn't need to be touched as it gets generated from the specifications in postgresql.conf on database start/restart (correct me, if I'm wrong)

@brianc
Copy link
Owner

brianc commented Oct 9, 2018

I'm open to pull requests for adding this authentication. I'll likely get around to it eventually, when I need it in my own work, but if you need it sooner please submit a PR!

@mYnDstrEAm
Copy link

mYnDstrEAm commented Nov 22, 2018
edited

This means there's no way for secure password encryption when using Node.js with Postgres to date?

Kidounet's solution to just use MD5 didn't work for me: I kept getting

{
  "name": "error",
  "length": 99,
  "severity": "ERROR",
  "code": "42501",
  "file": "aclchk.c",
  "line": "3410",
  "routine": "aclcheck_error"
}

as response after changing the 2 config files, altering all passwords and server-restarts/reloads (all passwords started with "md5"). Earlier I tried if it would work if I just have one user with limited privileges with MD5 and the other ones with SCRAM-SHA-256. Didn't work. Maybe there was a problem with pgAdmin4 running? It works now after purging and reinstalling the packages and leaving MD5 as it was.
It only works when that user can login and has superuser rights.

@nanaya
Copy link

nanaya commented Dec 8, 2018
edited

I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.

@andreme andreme mentioned this issue Feb 16, 2019
Merged
@jonjensen
Copy link

@nanaya Thanks for the pointer! pg-native worked for me too.

@ololoepepe
Copy link

ololoepepe commented Feb 27, 2019
edited

JFYI, adding SASL (SCRAM-SHA-256, for instance) support is not as easy and straightforward, as it may seem to be. I've investigated on this a little, and it seems that there are no JS libs for SCRAM-SHA-256. Implementing it here from scratch is not a good idea, as it will require additional tests and is, well, out of the scope of this lib.

There is at least one implementation in Java which may be ported, but it's too much effort, really. Yes, there is a JS lib (last commit 5 years ago) that supports SASL SHA-1, but again, too much effort to add SHA-256 support, test it, etc.

So, as soon as JS SASL implementation that supports SHA-256 appears, I'll make a PR, as auth process itself is not that complicated.

@lshqqytiger lshqqytiger mentioned this issue Aug 22, 2020
Closed
@Gargron Gargron mentioned this issue Nov 7, 2020
Closed
@vitaly-t vitaly-t mentioned this issue Dec 23, 2020
Closed
@lshqqytiger lshqqytiger mentioned this issue Apr 25, 2021
Closed
@Afoxcute
Copy link

Afoxcute commented Jun 6, 2021

I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.

how did you set the env var pls

@charmander
Copy link
Collaborator

@Afoxcute pg supports SCRAM-SHA-256 now (#1835), so you shouldn’t need any workarounds.

@Afoxcute
Copy link

Afoxcute commented Jun 7, 2021

@charmander yes i saw it in my conf file but anytime I try to connect with my db it brings out authenticationok error.

@sivarasanOensys
Copy link

I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.

great thanks, you saved my time

This was referenced Sep 18, 2021
Open
Open
@everything411 everything411 mentioned this issue Aug 11, 2022
Closed
@slaveofcode
Copy link

I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.

Thank you @nanaya your solution works for me 🚀

@lshqqytiger lshqqytiger mentioned this issue Jan 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests