Yup, FIPS-mode is on for both ends. I'd love a pointer to docs or other resources for figuring out what the path forward looks like.
Thanks for the fast and insightful diagnostic tip..
-Pete O'Such
On Mon, Apr 18, 2022 at 5:08 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
Adrian Klaver <adrian.klaver@xxxxxxxxxxx> writes:
> On 4/18/22 13:12, Pete O'Such wrote:
>> I'm unable to authenticate with psql to a PG 11 database on server A
>> from server B which has PG 14.1 installed. So it's psql 14.1 not
>> authenticating to PG 11. Other clients can and do authenticate to the
>> PG 11 database, it only seems to fail with the psql 14.1 client.
>>
>> The PG 11 server uses md5. So is the PG 14.1, but I didn't expect that
>> to matter for a straight psql connection plus interactive password entry.
> My first thought was that is was a md5/scram-sha-256 issue but I'm not
> sure how as both versions support both password types.
I just checked the case here, and I can connect fine from psql 14 to
a v11 server with a password stored in md5. So I'm not sure what's
up either, but there has to be something off-the-beaten-path about
this.
Looking at the v14 code, the error message tells us that
pg_password_sendauth failed, which has several possible explanations:
* pqGetnchar failed, which'd imply a malformed server challenge message.
Seems unlikely, if other clients can connect.
* pg_md5_encrypt failed. Hard to believe ... unless the v14 psql
is running on a FIPS-mode machine, which'd refuse all MD5 operations?
* pqPacketSend failed, ie server disconnected after sending the
challenge. Also seems doubtful.
So my recommendation is to check for FIPS mode.
If it's a recent Linux, what does "sysctl crypto.fips_enabled" say?
(This theory also requires that v14 was built with openssl support.)
FWIW, v15 will provide a more on-point error message in such cases.
regards, tom lane
