Unknown authenticationOk message type
Closed this issue ยท 19 comments
With postgres 10.1 and SCRAM-SHA-256 password encryption enabled, node-postgres driver throws the following error:
Error: Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }
Not telling that encryption method is not supported or anything. It took a while to find out why my app is stopped working after i have changed the role name. I think there should be more verbose error for this case.
Hello,
I have the same problem.
after migrate postgres 9 to 10, the database switch to SCRAM-SHA-256 password encryption.
but this pg_client is not compatible
first, change the postgresql.conf file :
password_encryption = md5
and restart database.
but not works ...
lookup users password encryption whith superuser (postgres) :
SELECT rolname, rolpassword FROM "pg_authid";
if password start with "SCRAM-SHA-256" (and not "md5"), it's too late, but not the end of world.
--> change all user with SCRAM-SHA-256 password for reset them :
(always whith postgres superuser) :
alter role xxxxx with password 'yyyyy'; (with xxxxx is the username, and yyyyy the new password)
--> the password is now encrypted with md5 crypto :
SELECT rolname, rolpassword FROM "pg_authid";
--> the password start with "md5"
and now, i can use this pg_client without this error
explanation : the size "23" is because he know password is encrypted with SCRAM-SHA-256, and change the auth message for ask SCRAM password, and it's not implemented yet ...
have fun !
With postgresql starting to move towards SASL authentication with the introduction of SCRAM-SHA-256, and the known vulnerabilities in MD5, I think it is important for all major postgresql libraries to be supporting this encryption.
It is already supported in the latest libpq versions, which I know @brianc has create some native node bindings for.
Are there any plans to support following authentications?
- SSPI
- SCRAM-SHA-256
Thanks
I am using postgres 10 with SCRAM-SHA-256 password encryption and getting following error
Unknown authenticationOk message typeMessage { name: 'authenticationOk', length: 23 }
Hi,
I am also facing this problem and tried to fix it according to @Kidounet 's suggestion, but in my case this change doesn't seem to have the needed effect.
Additionally to the mentioned above I also edited the pg_hba.conf file. There I replaced every "scram-sha-256" with "md5".
When restarting and trying the ALTER ROLE command, the password is still encrypted with scram-sha-256.
I am on a kubernetes environment (server version 1.8). My postgresql config files are on a persistent volume, so when I restart the database pod the changed config files are still there and should be applied.
Any hints on what I am missing?
Thanks a lot!
EDIT: Okay, just found out that in my setup there was another config file that needed to be changed ... Now it is working fine!
@brianc, Can you post some response here to set some expectation on your intentions regarding SCRAM-SHA-256?
@hauseralex can you help us enable SCRAM-SHA-256 for RDS PG? Looks like we don't have access to change pg_hba.conf file in aws, Is there a workaround for it?
Hi @mohanpindyala if you need scram-sha-256 you can use postgres in version 10. Or if you have write access to postgresql.conf file try Kidounet's attempt. I also found out that pg_hba.conf file doesn't need to be touched as it gets generated from the specifications in postgresql.conf on database start/restart (correct me, if I'm wrong)
I'm open to pull requests for adding this authentication. I'll likely get around to it eventually, when I need it in my own work, but if you need it sooner please submit a PR!
This means there's no way for secure password encryption when using Node.js with Postgres to date?
Kidounet's solution to just use MD5 didn't work for me: I kept getting
{
"name": "error",
"length": 99,
"severity": "ERROR",
"code": "42501",
"file": "aclchk.c",
"line": "3410",
"routine": "aclcheck_error"
}
as response after changing the 2 config files, altering all passwords and server-restarts/reloads (all passwords started with "md5"). Earlier I tried if it would work if I just have one user with limited privileges with MD5 and the other ones with SCRAM-SHA-256. Didn't work. Maybe there was a problem with pgAdmin4 running? It works now after purging and reinstalling the packages and leaving MD5 as it was.
It only works when that user can login and has superuser rights.
I have same problem and worked around it by installing pg-native and setting NODE_PG_FORCE_NATIVE=1 environment variable.
JFYI, adding SASL (SCRAM-SHA-256, for instance) support is not as easy and straightforward, as it may seem to be. I've investigated on this a little, and it seems that there are no JS libs for SCRAM-SHA-256. Implementing it here from scratch is not a good idea, as it will require additional tests and is, well, out of the scope of this lib.
There is at least one implementation in Java which may be ported, but it's too much effort, really. Yes, there is a JS lib (last commit 5 years ago) that supports SASL SHA-1, but again, too much effort to add SHA-256 support, test it, etc.
So, as soon as JS SASL implementation that supports SHA-256 appears, I'll make a PR, as auth process itself is not that complicated.
I have same problem and worked around it by installing
pg-nativeand settingNODE_PG_FORCE_NATIVE=1environment variable.
how did you set the env var pls
@charmander yes i saw it in my conf file but anytime I try to connect with my db it brings out authenticationok error.
I have same problem and worked around it by installing
pg-nativeand settingNODE_PG_FORCE_NATIVE=1environment variable.
great thanks, you saved my time
I have same problem and worked around it by installing
pg-nativeand settingNODE_PG_FORCE_NATIVE=1environment variable.
Thank you @nanaya your solution works for me ๐