Skip to content

SCRAM-SHA-256 authentication fails against PostgreSQL 18 (28P01) #765

New issue
New issue
Open
Open
SCRAM-SHA-256 authentication fails against PostgreSQL 18 (28P01)#765
@jotacampos

Description

@jotacampos
jotacampos
opened on Feb 12, 2026

Description

PgDog v0.1.28 fails to authenticate against PostgreSQL 18 (Patroni HA cluster) using SCRAM-SHA-256. The password is correct — psql from the same container authenticates successfully, but PgDog's SCRAM client implementation fails.

Environment

  • PgDog: v0.1.28 (main@943b652, rustc 1.93.0)
  • PostgreSQL: 18 (managed by Pigsty/Patroni)
  • Cluster: 1 Primary + 2 Replicas
  • OS: Ubuntu 24.04 (ARM64, OCI)
  • Auth method in pg_hba.conf: scram-sha-256
  • Password: plaintext in users.toml (contains . and ! characters)

Configuration

pgdog.toml (relevant parts):

[general]
auth_type = "scram"

[[databases]]
name = "mydb"
host = "10.0.0.3"
port = 5432
role = "primary"
database_name = "mydb"

users.toml:

[[users]]
name = "myuser"
database = "mydb"
password = "MyP@ssw0rd!"
server_user = "myuser"
server_password = "MyP@ssw0rd!"
pool_size = 25
min_pool_size = 5
pooler_mode = "transaction"

Reproduction

  1. Start PgDog with the config above pointing to PostgreSQL 18
  2. PgDog immediately fails with 28P01 password authentication failed
INFO  loaded "pgdog.toml"
INFO  loaded "users.toml"
INFO  🐕 PgDog listening on 0.0.0.0:6432
INFO  new connection requested: reason=min [myuser@10.0.0.3:5432/mydb]
ERROR error connecting to server: FATAL: 28P01 password authentication failed for user "myuser"

Verification

From the same container, psql authenticates successfully:

PGPASSWORD="MyP@ssw0rd!" psql -h 10.0.0.3 -p 5432 -U myuser -d mydb -c "SELECT 1"
# Returns: ok = 1

PostgreSQL logs confirm:

  • Source IP is correct
  • pg_hba rule matches: host all +dbrole_readonly 10.0.0.0/8 scram-sha-256
  • Auth method: scram-sha-256
  • Result: password authentication failed

What I've ruled out

  • ❌ Network issue (psql works from same container, same network)
  • ❌ Password substitution (verified bytes with od -c, no corruption)
  • ❌ TOML parsing (PgDog logs "loaded users.toml" without error)
  • ❌ pg_hba.conf mismatch (PostgreSQL logs show correct rule match)
  • ❌ Docker networking (tested with both bridge and host network — same result)
  • ❌ Connecting via PgBouncer:6432 instead of PG:5432 — 08P01 SASL authentication failed

Expected behavior

PgDog should authenticate successfully using SCRAM-SHA-256, same as psql does with the same credentials.

Possible cause

PgDog's SCRAM-SHA-256 client implementation may have an incompatibility with PostgreSQL 18's SCRAM handshake. Related: #48 (SCRAM with TLS).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions