Thread: [BUGS] BUG #14661: authentication behavior(SCRAM-MD5)
The following bug has been logged on the website: Bug reference: 14661 Logged by: Anthony Sotolongo León Email address: asotolongo@gmail.com PostgreSQL version: 10beta1 Operating system: Ubuntu 14.04 Description: I have a pg_hba.conf like this: host all usuario 0.0.0.0/0 scram-sha-256 host all postgres 0.0.0.0/0 scram-sha-256 and my user with md5 password encryption select usename,passwd from pg_shadow ; usename | passwd ----------+------------postgres | md50005a4b0ccaccbd18bcf64e90e242c90 usuario | md541f55d102ea5687e95fb361019a12da4 and when try to login, login error, and return error 2017-05-19 16:51:20.312 CEST [1418] FATAL: la autentificación password falló para el usuario «postgres» 2017-05-19 16:51:20.312 CEST [1418] DETALLE: User "postgres" does not have a valid SCRAM verifier.La conexión coincidió con la línea 83 de pg_hba.conf: «host all postgres 0.0.0.0/0 scram-sha-256» i think that is correct, but when i have the next configuracion: pg_hba.conf host all usuario 0.0.0.0/0 md5 host all postgres 0.0.0.0/0 md5 and my user with SCRAM encryption postgres=# select usename,passwd from pg_shadow ;usename | passwd ----------+-------------------------------------------------------------------------------------------------------------------------------usuario | SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=postgres | SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA= (2 filas) and when try to login, login successfully is correct this behavior? Greettings -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
On 05/19/2017 06:05 PM, asotolongo@gmail.com wrote: > i think that is correct, but when i have the next configuracion: > pg_hba.conf > host all usuario 0.0.0.0/0 md5 > host all postgres 0.0.0.0/0 md5 > > and my user with SCRAM encryption > postgres=# select usename,passwd from pg_shadow ; > usename | > passwd > ----------+------------------------------------------------------------------------------------------------------------------------------- > usuario | > SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA= > postgres | > SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA= > (2 filas) > > > and when try to login, login successfully > is correct this behavior? Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, depending on what kind of password hash the user has". The documentation at https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password tries to explain it: > scram-sha-256 performs SCRAM-SHA-256 authentication, as described in > RFC5802. It is a challenge-response scheme, that prevents password > sniffing on untrusted connections. It is more secure than the md5 > method, but might not be supported by older clients. > > md5 allows falling back to a less secure challenge-response mechanism > for those users with an MD5 hashed password. The fallback mechanism > also prevents password sniffing, but provides no protection if an > attacker manages to steal the password hash from the server, and it > cannot be used with the db_user_namespace feature. For all other > users, md5 works the same as scram-sha-256. - Heikki -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
Thanks!!! :D On 19/05/17 11:47, Heikki Linnakangas wrote: > On 05/19/2017 06:05 PM, asotolongo@gmail.com wrote: >> i think that is correct, but when i have the next configuracion: >> pg_hba.conf >> host all usuario 0.0.0.0/0 md5 >> host all postgres 0.0.0.0/0 md5 >> >> and my user with SCRAM encryption >> postgres=# select usename,passwd from pg_shadow ; >> usename | >> passwd >> ----------+------------------------------------------------------------------------------------------------------------------------------- >> >> usuario | >> SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA= >> >> postgres | >> SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA= >> >> (2 filas) >> >> >> and when try to login, login successfully >> is correct this behavior? > > Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, > depending on what kind of password hash the user has". > > The documentation at > https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password > tries to explain it: > >> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in >> RFC5802. It is a challenge-response scheme, that prevents password >> sniffing on untrusted connections. It is more secure than the md5 >> method, but might not be supported by older clients. >> >> md5 allows falling back to a less secure challenge-response mechanism >> for those users with an MD5 hashed password. The fallback mechanism >> also prevents password sniffing, but provides no protection if an >> attacker manages to steal the password hash from the server, and it >> cannot be used with the db_user_namespace feature. For all other >> users, md5 works the same as scram-sha-256. > > > - Heikki > -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs